Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#13 2022-11-30 09:34:49

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,220
Website

Re: CSP and nonces?

CSP implementation notes, after setting this up on the aforementioned client site.

note one

To cover support for older versions of Safari (< 15.4) (and others) which does not support 'strict-dynamic', , there are two options. One – instead of using 'strict-dynamic', use 'self'. The second one, add https to your script-src. I think the first option is more secure than the second, some CSP validation sites might complain a little.

  • script-src 'self' 'nonce-%{UNIQUE_ID}e';
  • script-src 'strict-dynamic' 'nonce-%{UNIQUE_ID}e' https:;

You can always add a stricter script-src-elem 'strict-dynamic' 'nonce-%{UNIQUE_ID}e' for newer browsers (including Safari > 15.4 and the upcoming Firefox 108).

Second note

If you use SVG’s as img, then include the following, else Firefox is not happy and does not show the styling in the SVG (especially if you use <style /> or style attributes):

<IfModule mod_headers.c>
 	<FilesMatch "\.svg$">
 		Header	set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"
 	</FilesMatch>
 </IfModule>

I added that in a htaccess in the folder containing the SVG files, in order not to slow down the whole things by unnecessary lookups thru the root htacess.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

Board footer

Powered by FluxBB