Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679)

* Make sure wicg-inert doesn't rely on inline CSS * Remove unsafe-inline from style-src
5 years ago · e1629a7758
parent 0d62e09707
commit e1629a7758
3 changed files with 14 additions and 1 deletions
--- a/app/views/layouts/application.html.haml
+++ b/app/views/layouts/application.html.haml
@ -26,6 +26,8 @@
    = javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous'
    = csrf_meta_tags

+    = stylesheet_link_tag '/inert.css', skip_pipeline: true, media: 'all', id: 'inert-style'
+
    - if Setting.custom_css.present?
      = stylesheet_link_tag custom_css_path, media: 'all'

--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@ -22,7 +22,7 @@ Rails.application.config.content_security_policy do |p|
  p.frame_ancestors :none
  p.font_src        :self, assets_host
  p.img_src         :self, :https, :data, :blob, assets_host
-  p.style_src       :self, :unsafe_inline, assets_host
+  p.style_src       :self, assets_host
  p.media_src       :self, :https, :data, assets_host
  p.frame_src       :self, :https
  p.manifest_src    :self, assets_host
--- a/public/inert.css
+++ b/public/inert.css
@ -0,0 +1,11 @@
+[inert] {
+  pointer-events: none;
+  cursor: default;
+}
+
+[inert], [inert] * {
+  user-select: none;
+  -webkit-user-select: none;
+  -moz-user-select: none;
+  -ms-user-select: none;
+}