Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delete button for ActiveStorage fields uses inline Javascript #3087

Closed
lengyelg opened this issue Nov 12, 2018 · 1 comment
Closed

Delete button for ActiveStorage fields uses inline Javascript #3087

lengyelg opened this issue Nov 12, 2018 · 1 comment
Milestone
2.0.0

Comments

@lengyelg
Copy link

As the Delete button for ActiveStorage fields uses inline Javascript (in its onclick attribute), it's not compatible with a secure Content-Security Policy (CSP) header.

Currently the only way to get deletion to work is to disable CSP for the application (or add unsafe-inline to default-src, but that's about the same). This is wrong and greatly increases the XSS risk. Any Javascript should be loaded from .js files.
@spikeheap
Copy link

We're experiencing this issue as well. @mshibuya have you or another maintainer had any thoughts on this?

@mshibuya mshibuya added this to the 2.0.0 milestone May 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.0.0
Development

No branches or pull requests
3 participants
@spikeheap @mshibuya @lengyelg