CSP policy: avoid inline
Opened issue here: https://github.com/decidim/decidim/issues/16088
- Go on CSP evaluator https://csp-evaluator.withgoogle.com/
- write down the decidim url
meta.decidim.org - error: all checks should be green
- error, decidim allow inline script
Tasks
- Add CSP nonce (javascript_tag(nonce: true), https://api.rubyonrails.org/classes/ActionView/Helpers/JavaScriptHelper.html#method-i-javascript_tag)
- Remove CSP inline and unsafe-eval
- Add csp_content_policy to default policies in https://github.com/decidim/decidim/blob/f2f89e2ae866a434a94839a65d2a416302c0b87e/decidim-core/lib/decidim/content_security_policy.rb
reference:
Edited by Lucien Langton