Only apply 'unsafe' flags when dependent libraries are included on page [#2943432]

As in #2942401: CKEditor is broken without 'unsafe-inlne', some libraries may require 'unsafe-inline'.
If the dependency can't be removed, its impact could at least be mitigated by only applying the rule on the pages where the affected libraries are actually in use, instead of applying the value globally.

Comments

Comment #1

9 February 2018 at 07:51

gapple created an issue. See original summary.

Comment #2

gapple

he/they

English

CreditAttribution: gapple as a volunteer commented 11 February 2018 at 22:24

Title:	API for modules to alter policy per-request	» Only apply 'unsafe' flags when dependent libraries are included on page
Category:	Task	» Feature request

I would like to avoid encouraging per-request alterations, but if CSP requires this functionality internally, it's not difficult to open up the ability to other modules as well.

Comment #3

gapple

he/they

English

CreditAttribution: gapple as a volunteer commented 13 January 2019 at 09:19

At least for ckeditor, the need for this is mitigated a bit by the new script-src-attr and script-src-elem directives, which will allow limiting inline scripts to element event handling attributes (e.g. onclick, as needed by ckeditor), and block inline script blocks.

e.g.

  script-src: 'self' 'unsafe-inline';
  script-src-attr: 'unsafe-inline';
  script-src-elem: 'self'

See
#3015921: Implement *-src-elem and *-src-attr directives
#3016001: Use script-src-attr to limit effect of 'unsafe-inline' for CKEditor support

Comment #4

gapple

he/they

English

CreditAttribution: gapple as a volunteer commented 28 November 2019 at 09:27

It looks like #2952390: Off-canvas styles override CKEditor's reset and theme also introduced the need for style-src 'unsafe-inline'; style-src-elem 'unsafe-inline'