[openstreetmap/openstreetmap-website] Added color preview box in tag browser sidebar (#1779)

Štefan Baebler notifications at github.com
Mon Mar 19 15:21:02 UTC 2018


But still, CSP has `nonce`s for exactly such purposes to allow some specific use instead of general `unsafe-inline` directive. 
Resorting to javascript is a possible workaround, but also has to be done properly (eg to not just `eval()` the data attribute :) )

And of course, it also depends on the framework's support for CSP and how easy it is to use `nonce`s.

secure_headers gem seems to support this just fine, but as soon as the `nonce` is present in CSP `style-src` browsers will stop allowing `unsafe-inline`, breaking the styling in such places, so it needs to be done trough-out the website at once or have the CSP in report-only mode for a while until all instances are tackled.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/1779#issuecomment-374250424
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20180319/aa8d78de/attachment.html>


More information about the rails-dev mailing list