Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Public API injects inline script into page.
See original GitHub issueIssue Summary
When Public API is enabled in the Labs menu, Ghost injects an inline script tag into the page.
Steps to Reproduce
- Go to https://example.com/ghost/settings/labs/
- Enable the checkbox option for Public API
- Refresh your homepage an inline script tag will be injected
Technical details
Injecting an inline script into the page is problematic for sites that want to use Content Security Policy. One of the biggest security benefits of CSP is the ability to effectively neutralise XSS attacks. To do this, the execution of inline script is blocked. This leaves Ghost users the option of using the Public API and disabling this security feature or not using the Public API.
Is it possible the contents of the script tag can be externalised? Example script tag:
<script type="text/javascript">
ghost.init({
clientId: "ghost-frontend",
clientSecret: "$value"
});
</script>
Issue Analytics
- State:
- Created 7 years ago
- Reactions:2
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
We’re aware that the way the Public API scripts are injected into the page are currently not ideal. We 100% intend to revisit this before removing the beta flag from this feature.
If anyone wants to raise PRs to improve the code, that would be great. Ideally these would use examples from other platforms and how they do this as reference material. cc @brettdewoody re #8918
We’re currently working on new API versions and an associated change in auth mechanism that will come with new SDKs that will not have any form of script injection.
Unfortunately we need to keep the injection around for backwards-compatibility until the next major version of Ghost. In the meantime we’ll be looking at ways to remove the render blocking behaviour.
Closing this issue because we’re unable to solve the CSP or script injection aspect at this time but it will eventually disappear as part of a future major release.