From e1629a77585245493d4b0ffb8d612d19b53d9087 Mon Sep 17 00:00:00 2001 From: ThibG Date: Fri, 8 May 2020 21:22:57 +0200 Subject: [PATCH] Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679) * Make sure wicg-inert doesn't rely on inline CSS * Remove unsafe-inline from style-src --- app/views/layouts/application.html.haml | 2 ++ config/initializers/content_security_policy.rb | 2 +- public/inert.css | 11 +++++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 public/inert.css diff --git a/app/views/layouts/application.html.haml b/app/views/layouts/application.html.haml index 25d001337..39fa0678f 100755 --- a/app/views/layouts/application.html.haml +++ b/app/views/layouts/application.html.haml @@ -26,6 +26,8 @@ = javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous' = csrf_meta_tags + = stylesheet_link_tag '/inert.css', skip_pipeline: true, media: 'all', id: 'inert-style' + - if Setting.custom_css.present? = stylesheet_link_tag custom_css_path, media: 'all' diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index f26d9c8ea..7dcc028ab 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -22,7 +22,7 @@ Rails.application.config.content_security_policy do |p| p.frame_ancestors :none p.font_src :self, assets_host p.img_src :self, :https, :data, :blob, assets_host - p.style_src :self, :unsafe_inline, assets_host + p.style_src :self, assets_host p.media_src :self, :https, :data, assets_host p.frame_src :self, :https p.manifest_src :self, assets_host diff --git a/public/inert.css b/public/inert.css new file mode 100644 index 000000000..275fad2e6 --- /dev/null +++ b/public/inert.css @@ -0,0 +1,11 @@ +[inert] { + pointer-events: none; + cursor: default; +} + +[inert], [inert] * { + user-select: none; + -webkit-user-select: none; + -moz-user-select: none; + -ms-user-select: none; +}