Content-Security-Policy fixes #2723
Conversation
koenpunt
force-pushed
the
csp-fixes
branch
4 times, most recently
from
40c63fc
to
7834a3c
Compare
|
ping ✨ @harvesthq/chosen-developers @stof |
| @@ -6,9 +6,25 @@ | |||
| <link rel="stylesheet" href="docsupport/style.css"> | |||
| <link rel="stylesheet" href="docsupport/prism.css"> | |||
| <link rel="stylesheet" href="chosen.css"> | |||
|
|
|||
| <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://ajax.googleapis.com; style-src 'self' 'sha256-MzlZlLruPmzLm/yy8z6yCpmyo5QSe/SURdcVrrJx880='; img-src 'self' data:"> | |||
There was a problem hiding this comment.
using a nonce rather than a hash may make maintenance easier, by avoiding to recompute the hash when updating the demo CSS (which will be forgotten for sure)
There was a problem hiding this comment.
Even though calculating the hash is easy, because the correct one is logged to the console when using an incorrect hash, the forgetting part is true.
But then again, a nonce isn't safe if not regenerated on every request. Not that there's really a security risk at this page, I still think we shouldn't advertise the less secure option.
Maybe we can move the CSP additions to the build process of the documentation, and leave out the header in the HTML here.
Or validate the HTML in the build process, if possible.
There was a problem hiding this comment.
Or better yet, we can just move the rules to docsupport/style.css
There was a problem hiding this comment.
as we already have a CSS file for the doc, this is indeed the best way
| </div> | ||
| """ | ||
|
|
||
| get_no_results_template: (terms) -> |
There was a problem hiding this comment.
this is not really returning a template. It is rendering a template
There was a problem hiding this comment.
Yeah thought of that. Same applies for get_multi/get_single. Maybe a suffix of _html is better.
koenpunt
force-pushed
the
csp-fixes
branch
2 times, most recently
from
18a0871
to
f6db804
Compare
when the Content-Security-Policy doesn't include 'unsafe-inline', setting the style attribute directly is not allowed.
remove inline style from search input field
To make Chosen compatible with restrictive Content-Security-Policies, I've updated the way we apply inline styles to elements.
The HTML used to build the select is now defined in AbstractChosen.
I also updated the documentation pages with a CSP header as an example.
fixes #2423
related #2575