Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Remove inline JS to avoid need for CSP script-src 'unsafe-inline'

See original GitHub issue

Description

Hi! This is the scripts equivalent of #858 (which is about styles instead).

Currently mkdocs-material includes inline scripts in the generated HTML, which means the insecure 'unsafe-inline' source has to be used for the script-src Content-Security-Policy.

(Adding hashes to the script-src policy isn’t really viable, since the hash would change on every new mkdocs release, since the script content contains the mkdocs version number.)

Expected behavior

No inline scripts.

Actual behavior

Inline scripts in the generated HTML:

<script>app.initialize({version:"1.0.2",url:{base:"."}})</script>

Which comes from: https://github.com/squidfunk/mkdocs-material/blob/7f08e2849a4d51ca7457e64bd2b2ab806103d771/src/base.html#L351-L358

…which result in the following errors in the browser console if the more secure script-src policy is used:

Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").

Steps to reproduce the bug

Generate a site using mkdocs 1.0.2 and mkdocs-material 3.0.3
Serve the site with the following header set: Content-Security-Policy: script-src 'self'; (a reduced version of the actual policy that would be used on a production site)
Visit the site in a modern CSP-supporting browser (in my case, today’s Firefox Nightly)

Package versions

Python: 3.6.5
MkDocs: 1.0.2
Material: 3.0.3

Project configuration

docs_dir: 'docs'
site_dir: 'build'
strict: true

site_name: 'Neutrino'
site_description: 'Create and build modern JavaScript applications with zero initial configuration'
repo_name: 'neutrinojs/neutrino'
repo_url: 'https://github.com/neutrinojs/neutrino'

# https://squidfunk.github.io/mkdocs-material/getting-started/#configuration
theme:
  name: 'material'
  palette:
    primary: 'teal'
    accent: 'teal'
  # Disable the default top left logo until we sort out our custom one.
  logo:
    icon: ' '

# http://www.mkdocs.org/user-guide/writing-your-docs/#configure-pages-and-navigation
nav:
  - Introduction: './index.md'
  - Getting Started:
    - Installation: './installation/index.md'
    - Create new project: './installation/create-new-project.md'
  - Usage: './usage.md'
  - Project Layout: './project-layout.md'
  - FAQ: './faq.md'
  - Learning Resources: './learning-resources.md'
  - CLI: './cli.md'
  - API: './api.md'
  - Configuration API - webpack-chain: './webpack-chain.md'
  - Customization: './customization.md'
  - Creating Presets: './creating-presets.md'
  - Migration Guide: './migration-guide.md'
  - Presets: './presets.md'
  - Middleware: './middleware.md'
  - Packages:
    - Web: './packages/web.md'
    - React: './packages/react.md'
    - Preact: './packages/preact.md'
    - Vue: './packages/vue.md'
    - Node.js: './packages/node.md'
    - Library: './packages/library.md'
    - React Components: './packages/react-components.md'
    - Airbnb: './packages/airbnb.md'
    - Airbnb Base: './packages/airbnb-base.md'
    - StandardJS: './packages/standardjs.md'
    - Karma: './packages/karma.md'
    - Mocha: './packages/mocha.md'
    - Jest: './packages/jest.md'
    - banner: './packages/banner.md'
    - clean: './packages/clean.md'
    - compile-loader: './packages/compile-loader.md'
    - copy: './packages/copy.md'
    - dev-server: './packages/dev-server.md'
    - eslint: './packages/eslint.md'
    - font-loader: './packages/font-loader.md'
    - html-loader: './packages/html-loader.md'
    - html-template: './packages/html-template.md'
    - image-loader: './packages/image-loader.md'
    - image-minify: './packages/image-minify.md'
    - loader-merge: './packages/loader-merge.md'
    - pwa: './packages/pwa.md'
    - start-server: './packages/start-server.md'
    - style-loader: './packages/style-loader.md'
    - style-minify: './packages/style-minify.md'
    - stylelint: './packages/stylelint.md'
  - v8 Documentation: 'https://neutrinojs.org/'
  - v7 Documentation: 'https://release-v7.neutrinojs.org/'
  - v6 Documentation: 'https://github.com/neutrinojs/neutrino/tree/release/v6/docs'
  - v5 Documentation: 'https://github.com/neutrinojs/neutrino/tree/release/v5/docs'
  - v4 Documentation: 'https://github.com/neutrinojs/neutrino/tree/release/v4/docs'
  - Contributing:
    - Overview: './contributing/index.md'
    - Development Process: './contributing/development.md'
    - Code of Conduct: './contributing/code-of-conduct.md'

# https://squidfunk.github.io/mkdocs-material/getting-started/#extensions
markdown_extensions:
  - admonition
  - codehilite:
      guess_lang: false
  - toc:
      permalink: true

System information

OS: Windows 10
Browser: Today’s Firefox Nightly

Issue Analytics

State:
Created 5 years ago
Reactions:2
Comments:11 (9 by maintainers)

Top GitHub Comments

1reaction

squidfunkcommented, Nov 19, 2018

Okay, great. I was just housekeeping issues and wanted to know if there’s any progress on your side 😃 My point regarding the proposal was more in the direction of enumerating possible scenarios (use default font, override default font etc.) and making sure we can all check them off. It’s more that I’m concerned with easy upgrade paths and minimal disruptions 😃 I will leave this issue open and wait for your suggestions. Thanks for your work!

0reactions

squidfunkcommented, May 7, 2021

It’s not a meta tag, it’s a header that must be set, so you can either (probably) set it on every *.html file which you deploy to S3, or use another method. Not that this is beyond the scope of this project, so if you need further guidance, it’s probably best to ask this on StackOverflow.

Top Results From Across the Web

Why It's Bad to Use 'unsafe-inline' in script-src - Csper

This article covers why 'unsafe-inline' in a Content Security Policy is a bad idea, and what can be done instead of using 'unsafe-inline'....

How to avoid unsafe-inline in Content Security Policy (CSP)?

Avoid 'unsafe-inline' value in script-src directive to increase the protective capability of CSP. Try not to write inline-javascript.

CSP: script-src - HTTP - MDN Web Docs - Mozilla

Unsafe inline script. Note: Disallowing inline styles and inline scripts is one of the biggest security wins CSP provides. However, if you ...

Why Inline Javascript is executed without error when Content ...

1 Answer 1 · Check the console if there CSP header is recognized or if there are unprintable chars or other syntax errors...

How to use React without unsafe-inline runtime chunk and why

Removing unsafe-inline chunk from React application is easy and will help you ... Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline';.