Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
QUESTION have you added a content security policy to your website?
#1
I'm working on a website where we require the implementation of content security policy (csp). It's going ok so far but I have an issue with the inline styles that are being added (presumably via the ckeditor).

Has anyone else added a csp to any of their GS websites? I would be interested in seeing how you dealt with this issue.

Ideally without using unsafe-inline if possible. I know I can use a nonce or hash but was unsure where the inline styles were being generated.

Thanks
Reply
#2
Hi craiga,

With CSP style elements and scripts are no longer allowed to appear directly, you must store style elements
in separate stylesheets and create separate files for each script.

This might help
https://github.com/google/csp-evaluator
https://csp-evaluator.withgoogle.com/
https://observatory.mozilla.org/
Reply
#3
(2020-11-12, 20:06:36)Felix Wrote: Hi craiga,

With CSP style elements and scripts are no longer allowed to appear directly, you must store style elements
in separate stylesheets and create separate files for each script.

This might help
https://github.com/google/csp-evaluator
https://csp-evaluator.withgoogle.com/
https://observatory.mozilla.org/

Thanks Felix. I've already conducted a huge amount of research on csp. My scripts are no longer inline but in separate files as dictated my mozilla, content-security-policy.com and numerous other resources. 

My question was, what have other GS users done to ensure the inline scripts or styles generated by ckeditor or the cms can work correctly.

Thanks
Reply
#4
Hi,
My self, I haven't done anything with CSP yet.
But maybe CKEditor 5 is an option here ? It appears that CKEditor 5 is being written
with support for Content Security Policy in mind
Reply
#5
(2020-11-12, 23:48:46)Felix Wrote: Hi,
My self, I haven't done anything with CSP yet.
But maybe CKEditor 5 is an option here ? It appears that CKEditor 5 is being written
with support for Content Security Policy in mind

Good one

Lets hope the new version of GS uses the newest version of CKEditor then. For now I have done what most cms users are having to do and use unsafe-inline for scripts and styles. I did some more research relating to csp and cms integration and it appears we are all in the same boat. Wordpress, craft, Joomla and GS - we all have the same issue.

Oh well, never mind

Thanks again for the reply
Reply
#6
(2020-11-13, 00:54:56)craiga Wrote:
(2020-11-12, 23:48:46)Felix Wrote: Hi,
My self, I haven't done anything with CSP yet.
But maybe CKEditor 5 is an option here ? It appears that CKEditor 5 is being written
with support for Content Security Policy in mind

Good one

Lets hope the new version of GS uses the newest version of CKEditor then. For now I have done what most cms users are having to do and use unsafe-inline for scripts and styles. I did some more research relating to csp and cms integration and it appears we are all in the same boat. Wordpress, craft, Joomla and GS - we all have the same issue.

Oh well, never mind

Thanks again for the reply
https://content-security-policy.com/#source_list has some very good information. I currently use  <meta http-equiv="Content-Security-Policy" content="https: img-src https:">

 which allows my google fonts and socialization icons.
Reply




Users browsing this thread: 1 Guest(s)