Content Security Policy

[mklilley]

I am aware of an older issues about CSP #2155 but was unable to comment on it as it was closed. It was suggested that the createHTML function could fix errors like:

Refused to apply inline style because it violates the following Content Security Policy directive: [...]

However, it's my understanding that CSP as it relates to style attributes (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src) cannot be handled by a nonce and hence the createHTML would not be of use.

More specifically, it seems like nonces are only applicable to style tags as opposed to inline style attributes. It seems like inline style attributes are not compatible with CSP at all.

Am I right in this?

Thanks

Matt

[arnog]

Unfortunately I cannot comment on how CSP works. Hopefully someone more knowledgeable could chime in.

I do not have a reproducible case of this problem. I'm not sure there is a problem. Without it, it would not be possible to investigate the issue (if there is one).

But if anyone has information about how to reproduce this problem and how to potentially solve it, I'd be very interested to hear.

[mklilley]

Yeah, that's totally fair. Let me see what I can do. Thanks for responding so fast.

[arnog]

I've investigated this to some extent. In order to display formulas, the mathfield generates HTML markup which contains a style attribute. This is fundamental to the way the mathfield renders content. In the CSP terminology, this is an "inline style". In order to display correctly, the CSP directive for the pages that contain mathfields must allow inline styles. This is done by setting the following header

Content-Security-Policy: style-src 'self' 'unsafe-inline';

It does not appear that CSP allows other mechanisms for this use case.