-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Content-Security-Policy headers via nonce attribute of script/style tags, to avoid need for unsafe-inline CSP rule #512
Comments
Improved with the new code above. However, in the Sequence widget, there are also prototype pieces of code that get cloned by Deform and evaluated ("Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script...") and dynamic style rewriting by jQuery ("Refused to apply inline style because it violates the following Content Security Policy directive..."). I'm not sure how those should best be handled. |
Requirement for evaluating Javascript removed (along with a bugfix) in latest commit just now. The jQuery "inline style" problem remains but perhaps that will go with a later jQuery version as per #511. |
Thank you for the PR @RudolfCardinal. Please allow me a few days until I have the opportunity to review and think this over. I need to think about additional functional tests, as well as handling the sequence widgets and dynamic style rewriting. Meanwhile if you have not yet done so, would you please sign https://github.com/Pylons/deform/blob/main/CONTRIBUTORS.txt? Also the lint build fails on |
Thanks -- I've tried again via |
Setting the
Content-Security-Policy
(CSP) HTTP header (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy), which is a good thing, means that inline<script>
and<style>
tags will be blocked by the browser unless either theunsafe-inline
CSP policy is used, which is a bad thing, or a hash or nonce is used. Of those, the nonce method is simpler. That requires<script nonce="NONCE_FOR_THIS_RESPONSE">
and<style nonce="NONCE_FOR_THIS_RESPONSE">
, matching the value of the nonce set in the response CSP header.I don't think Deform supports this at present, and so some of its scripts/styles are blocked in this security environment. Would nonce support be reasonable to add? I imagine that
Form
could take anonce
parameter (defaultNone
); if present, its value could be propagated through all Deform.pt
templates.The text was updated successfully, but these errors were encountered: