Conversation
sbreker
left a comment
sbreker
left a comment
There was a problem hiding this comment.
Hi Mel - It is a great idea to update this documentation and link to CSP. I have added a couple comments:
- it is possible to still use styles and scripts with static pages, they must be signed with a nonce however.
- it would be good to add a link to the CSP page.
melaniekung
force-pushed
the
dev/csp-static
branch
from
59934e3 to
b1f55a0
Compare
melaniekung
force-pushed
the
dev/csp-static
branch
from
b1f55a0 to
d5271c9
Compare
There was a problem hiding this comment.
I think this section is still demonstrating using inline styles. Can these examples be reworked with BS5 styling?
There was a problem hiding this comment.
i've rearranged this section so that the BS5 classes are mentioned first, but kept the inline example at the end with an important box that this won't work if htmlpurifier or CSP are enforced.
| AtoM now enforces a :ref:`security-csp-headers` across the application. | ||
| As a result, inline CSS styles within static page content will no longer | ||
| be applied. Consider using Markdown formatting or BS5 classes instead where | ||
| styling is required. |
There was a problem hiding this comment.
Should we add something to the effect of "CSP can be disabled which would allow inline scripts and styles to be used in static pages, but this is not recommended."?
There was a problem hiding this comment.
so anvit and i have discussed that an experienced dev who understands the implications of CSP would know that disabling CSP is an option, but we don't want to openly suggest to users (who may not have a good technical background) that disabling CSP is an option. thoughts?
melaniekung
force-pushed
the
dev/csp-static
branch
from
450b99d to
bf1f0c7
Compare
melaniekung
force-pushed
the
dev/csp-static
branch
from
bf1f0c7 to
a5ca6fc
Compare
3 participants
No description provided.