Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
As in #2942401: CKEditor is broken without 'unsafe-inlne', some libraries may require 'unsafe-inline'
.
If the dependency can't be removed, its impact could at least be mitigated by only applying the rule on the pages where the affected libraries are actually in use, instead of applying the value globally.
Comments
Comment #2
gappleI would like to avoid encouraging per-request alterations, but if CSP requires this functionality internally, it's not difficult to open up the ability to other modules as well.
Comment #3
gappleAt least for ckeditor, the need for this is mitigated a bit by the new
script-src-attr
andscript-src-elem
directives, which will allow limiting inline scripts to element event handling attributes (e.g.onclick
, as needed by ckeditor), and block inline script blocks.e.g.
See
#3015921: Implement *-src-elem and *-src-attr directives
#3016001: Use script-src-attr to limit effect of 'unsafe-inline' for CKEditor support
Comment #4
gappleIt looks like #2952390: Off-canvas styles override CKEditor's reset and theme also introduced the need for
style-src 'unsafe-inline'; style-src-elem 'unsafe-inline'
Comment #5
gappleThis was handled for CKEditor and Umami in #2895245: API for modules to alter policy