Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
prevent unsafe-inline CSP errors by putting all JS in their own file?
See original GitHub issueIssue Summary
The wagtail 2.4 admin still loads some JS inline:
<!doctype html>
<html class="no-js" lang="en-gb">
<head>
<meta charset="utf-8" />
...
<link rel="shortcut icon" href="/static/wagtailadmin/images/favicon.ico" />
</head>
<body id="wagtail" class="page-explorer ">
...
<script>
(function(document, window) {
window.wagtailConfig = window.wagtailConfig || {};
wagtailConfig.ADMIN_API = {
PAGES: '/cms/api/v2beta/pages/',
DOCUMENTS: '/cms/api/v2beta/documents/',
IMAGES: '/cms/api/v2beta/images/',
which means that wagtail cannot be deployed on servers with a CSP that forbid unsafe-inline scripts (which is quite a sensible thing to do these days).
Steps to Reproduce
- add https://github.com/jsocol/django-csp to the project
- make sure the script CSP does not include
unsafe-inline - load the wagtail CMS admin view with the dev console open
Making sure that all js like this is in its own file and loaded from src should solve this.
Issue Analytics
- State:
- Created 4 years ago
- Comments:14 (12 by maintainers)
Top Results From Across the Web
Why It's Bad to Use 'unsafe-inline' in script-src - Csper
This article covers why 'unsafe-inline' in a Content Security Policy is a bad idea, and what can be done instead of using 'unsafe-inline'....
Read more >Disable inline JavaScript for security - Gleb Bahmutov
Disable inline JavaScript for security. Use JS to JS template engine in Express to ban all inlined JavaScript. The source code for this...
Read more >Why Inline Javascript is executed without error when Content ...
All browsers create an error message on the console that the inline execution of a script has been blocked because of CSP.
Read more >CSP: script-src - HTTP - MDN Web Docs - Mozilla
The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded ...
Read more >unsafe-inline CSP Guide - Content Security Policy
How to use the unsafe-inline directive in a CSP policy. ... We can prevent our app from loading JS from bad-guy.example.com using CSP....
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@Pomax thanks for giving it a go - these things evolve slowly and yes in hindsight it’s a bit confusing. We don’t have a way to split sub-threads out.
Here is a direct link to the investigation. https://github.com/lb-/bakerydemo/blob/ui-experiments/lightweight-frontend-framework-investigation-2022.md
Here is a direct link to the code. The header search is a good example of removal of a large amount of inline scripts tags and also setting up data on data attributes where needed. https://github.com/lb-/wagtail/pull/5/files
I will post here when the RFC is up - that will give a better chance to comment.
@Pomax as discussed
RFC 78 created https://github.com/wagtail/rfcs/pull/78