[openstreetmap/openstreetmap-website] update script-src CSP rules for iD (PR #4841)
Martin Raifer
notifications at github.com
Sun May 26 15:07:29 UTC 2024
PS: I noticed that as of #4627 the content security policy has a `nonce` set up[^1] for the `style-src` attribute . This makes specifying `unsafe-inline` for iD essentially obsolete, as modern browsers will ignore it in favor of nonce'd inline styles.
Inline styles were allowed in iD's CSP since c5d3335a6c5d4a1b74d3f9d509bbc6c7dba65fb2, but I don't think we still need them today[^2]. But maybe I'm overlooking something? :thinking:
[^1]: See https://github.com/openstreetmap/openstreetmap-website/pull/4627/files#diff-c1c619ffb7b249550067cb696b8e7d6c29d1efe2ed4cf5b7a8bb6bed47b409d1R41
[^2]: Apart from some unnecessary inline-styles in with some of the bundled icons, which I just transformed into proper svg attributes with https://github.com/openstreetmap/iD/commit/3de2840ac3b5849bfdecd5f0b9b9a83be262e7e2
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/4841#issuecomment-2132253415
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/pull/4841/c2132253415 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20240526/09788476/attachment.htm>
More information about the rails-dev
mailing list