简体繁体中英

CSP style-src: 'unsafe-inline' in a landing page

原文 2022-06-01 23:23:52 8 1 content-security-policy/ webflow

I use the Webflow tool to set up my website. I export the code to host it on my server.

I have set up the Content-Security-Policy header.

Problem : most of the styles are inline. I can't add the hash for all of them, there are too many ...

Is it so dangerous to put unsafe inline on style-src ?

Note that this is a 99.9% static site (just a contact form).

Thank you for your help!

1 answers

The dangers of 'unsafe-inline' in style-src are discussed here: https://scotthelme.co.uk/can-you-get-pwned-with-css/

If you can restrict the rest of your CSP, the dangers will be limited, but there will always be someone who disagrees. If it is technically possible you could use nonces, as you could use the same nonce for all tags, but change it on every pageload. It seems like you don't want or can extract all the CSS to a separate file, which would of course be the simplest solution.

CSP style-src: 'unsafe-inline' - is it worth it?

CSP - How to solve style-src unsafe-inline -when having dynamically positioned page elements

What CSP is safer - style-src 'none' or style-src 'unsafe-inline'

Does the "Sign In with Google" button require CSP style-src 'unsafe-inline'?

Is there any security benefit of "style-src 'self' 'nonce-rAnd0m'" over "style-src 'self' 'unsafe-inline'"?

Use the ACE Web-Editor without style-src 'unsafe-inline'

Refused to load the stylesheet because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'"

Safari CSP ignores nonce and unsafe-inline

CSP 2.0 (unsafe-inline) and Angular

Is there any alternative to setAttribute() other than adding 'unsafe-inline' in CSP policy for adding inline style attr?

暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question CSP style-src: 'unsafe-inline' - is it worth it? CSP - How to solve style-src unsafe-inline -when having dynamically positioned page elements What CSP is safer - style-src 'none' or style-src 'unsafe-inline' Does the "Sign In with Google" button require CSP style-src 'unsafe-inline'? Is there any security benefit of "style-src 'self' 'nonce-rAnd0m'" over "style-src 'self' 'unsafe-inline'"? Use the ACE Web-Editor without style-src 'unsafe-inline' Refused to load the stylesheet because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'" Safari CSP ignores nonce and unsafe-inline CSP 2.0 (unsafe-inline) and Angular Is there any alternative to setAttribute() other than adding 'unsafe-inline' in CSP policy for adding inline style attr?

Related Tags

CSP style-src: 'unsafe-inline' in a landing page

Question

1 answers

solution1 0 2022-06-02 08:20:28

solution1
0 2022-06-02 08:20:28