Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: CSP and nonces?
CSP implementation notes, after setting this up on the aforementioned client site.
note one
To cover support for older versions of Safari (< 15.4) (and others) which does not support 'strict-dynamic', , there are two options. One – instead of using 'strict-dynamic', use 'self'. The second one, add https to your script-src. I think the first option is more secure than the second, some CSP validation sites might complain a little.
script-src 'self' 'nonce-%{UNIQUE_ID}e';script-src 'strict-dynamic' 'nonce-%{UNIQUE_ID}e' https:;
You can always add a stricter script-src-elem 'strict-dynamic' 'nonce-%{UNIQUE_ID}e' for newer browsers (including Safari > 15.4 and the upcoming Firefox 108).
Second note
If you use SVG’s as img, then include the following, else Firefox is not happy and does not show the styling in the SVG (especially if you use <style /> or style attributes):
<IfModule mod_headers.c>
<FilesMatch "\.svg$">
Header set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"
</FilesMatch>
</IfModule>I added that in a htaccess in the folder containing the SVG files, in order not to slow down the whole things by unnecessary lookups thru the root htacess.
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline