Content Security Policy Compatibillity

Created on 8 December 2023, about 1 year ago

Problem/Motivation

When the Content Security Policy style-src 'self' is applied, the browser is rejecting certain inline styles and tokens.

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' https://cdn.dxpr.com cdn.dxpr.com cdn.userway.org *.userway.org cdn.jsdelivr.net cdnjs.cloudflare.com fonts.googleapis.com https://cdn.jsdelivr.net https://cdn.knightlab.com https://cdnjs.cloudflare.com https://unpkg.com https://use.fontawesome.com unpkg.com". Either the 'unsafe-inline' keyword, a hash ('sha256-+vSMUtc4p1lhOpjCSeU72KFp2447cW3EsDB7Sni55pM='), or a nonce ('nonce-...') is required to enable inline execution.

Looks like the embedded CKEditor and the Ace editor are related.

Steps to reproduce

1- Activate the module: https://www.drupal.org/project/csp โ†’
2- Enforce the policy: style-src 'self'

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

๐Ÿ› Bug report
Status

Closed: works as designed

Version

2.5

Component

Code

Created by

๐Ÿ‡จ๐Ÿ‡ดColombia Freddy Rodriguez Bogotรก

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @Freddy Rodriguez
  • Status changed to Closed: works as designed about 1 year ago
  • ๐Ÿ‡ณ๐Ÿ‡ฑNetherlands jurriaanroelofs

    Thank you for your ticket. I'm not sure if this is a bug, or just the content security policy doing exactly what it is designed for.

    The purpose of using style-src 'self' is to restrict the website from loading stylesheets from any external sources. DXPR Builder needs to load both stylesheets and javascript assets from our cloud infrastructure. This is not something we can fix from our side but something that requires a tailored strategy from the CSP implementation side. Some options you have:

    1. Replace style-src 'self' with style-src https://example.com https://cdn.dxpr.com; where example.com is your domain name.
    2. Configure your website to apply the stricter rule style-src 'self' only to user roles that do not use DXPR Builder
    3. Keep using style-src 'self' but creating a proxy on your own domain to funnel assets from whitelisted domains

    Please consult compliance officers and security specialized software engineers in your organization to find the best solution that meets requirements in your situation.

Production build 0.71.5 2024