Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Content-Secure-Policy compatible scripts #2419

Open
reixav opened this issue Jul 28, 2024 · 0 comments
Open

Use Content-Secure-Policy compatible scripts #2419

reixav opened this issue Jul 28, 2024 · 0 comments
Labels
C-enhancement Category: Enhancement or feature request

Comments

@reixav
Copy link

reixav commented Jul 28, 2024

Problem

Trying to enable CSP in webserver and serve mdbook is a little bit difficult as inline scripts are not recommended by default.
Perhaps you could implement hash-like scripts:

<script
  src="https://example.com/example-framework.js"
  integrity_no="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  crossorigin="anonymous"></script>

and from unsafe inline scripts to nonce

Proposed Solution

No response

Notes

I have tested with nginx with:

add_header
Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self'; img-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; frame-ancestors 'none'; form-action 'none'; script-src 'self' 'unsafe-inline' ; block-all-mixed-content" always;
@reixav reixav added the C-enhancement Category: Enhancement or feature request label Jul 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-enhancement Category: Enhancement or feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@reixav