Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679)

author ThibG <thib@sitedethib.com>

Fri, 8 May 2020 19:22:57 +0000 (21:22 +0200)

committer GitHub <noreply@github.com>

Fri, 8 May 2020 19:22:57 +0000 (21:22 +0200)
author ThibG <thib@sitedethib.com>
Fri, 8 May 2020 19:22:57 +0000 (21:22 +0200)
committer GitHub <noreply@github.com>
Fri, 8 May 2020 19:22:57 +0000 (21:22 +0200)
diff --git a/app/views/layouts/application.html.haml b/app/views/layouts/application.html.haml

index 25d00133714982a044dfddd3c3be2df3f8f4a2f8..39fa0678fdcb12ad75b6e5ac1d906f9e3eed096d 100755 (executable)
--- a/app/views/layouts/application.html.haml
+++ b/app/views/layouts/application.html.haml
@@ -26,6 +26,8 @@
      = javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous'
      = csrf_meta_tags
  
+    = stylesheet_link_tag '/inert.css', skip_pipeline: true, media: 'all', id: 'inert-style'
+
      - if Setting.custom_css.present?
        = stylesheet_link_tag custom_css_path, media: 'all'
  
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb

index f26d9c8ea3762ebb7e206c8fabb0022b045049e1..7dcc028ab6ae76abff8e0102c2f82594566654cc 100644 (file)
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -22,7 +22,7 @@ Rails.application.config.content_security_policy do |p|
    p.frame_ancestors :none
    p.font_src        :self, assets_host
    p.img_src         :self, :https, :data, :blob, assets_host
-  p.style_src       :self, :unsafe_inline, assets_host
+  p.style_src       :self, assets_host
    p.media_src       :self, :https, :data, assets_host
    p.frame_src       :self, :https
    p.manifest_src    :self, assets_host
diff --git a/public/inert.css b/public/inert.css

new file mode 100644 (file)

index 0000000..275fad2
--- /dev/null
+++ b/public/inert.css
@@ -0,0 +1,11 @@
+[inert] {
+  pointer-events: none;
+  cursor: default;
+}
+
+[inert], [inert] * {
+  user-select: none;
+  -webkit-user-select: none;
+  -moz-user-select: none;
+  -ms-user-select: none;
+}
author	ThibG <thib@sitedethib.com>
	Fri, 8 May 2020 19:22:57 +0000 (21:22 +0200)
committer	GitHub <noreply@github.com>
	Fri, 8 May 2020 19:22:57 +0000 (21:22 +0200)
app/views/layouts/application.html.haml		patch \| blob \| history
config/initializers/content_security_policy.rb		patch \| blob \| history
public/inert.css	[new file with mode: 0644]	patch \| blob