Violates CSP unsafe-inline
rule
#71
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
While I get that this isn't a huge deal in development, I'd prefer if the CSP rules in development mode mostly matched the ones I'd like to use in production so that developers know if they are violating CSP rules.
This script is the main problem, assuming SWF is off.
I'm trying to think of ways this could be done without an inline script. Possibly a data attribute?
This is going to be an issue with Rails 5.2, which includes CSP policy by default. See https://github.com/rails/rails/pull/31162#issuecomment-347463658
One suggestion is to use nonce values for the script tags and dynamically modify the CSP header in the middleware
I've got a project that uses a restrictive CSP in development, and it'd be great to have a solution other than conditionally allowing this through the CSP in the dev environment.
Anyone working on this? Is it worth it for me to dig in, myself?
With the Webpack integration in Rails this issue becomes less important, as many people using the live reload mechanism of the webpack dev server. So
guard-livereload
+rack-livereload
is only required, if you want to live reload e.g. the text in views.Still here is an unfinished code example, that might be used to prepare a PR to https://github.com/jaredmdobson/rack-livereload
(this repo here is deprecated). Unfortunately
jaredmdobson/rack-livereload
does not allow issues, to ask if a PR is welcome.lib/ext/rack_livereload/body_processor.rb
lib/ext/rack_livereload/skel/livereload.html.erb
This requires you to apply the following settings to the application: