Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Better CSP support #677

Closed
Nuklon opened this issue Nov 30, 2021 · 3 comments
Closed

Better CSP support #677

Nuklon opened this issue Nov 30, 2021 · 3 comments

Comments

@Nuklon
Copy link

Nuklon commented Nov 30, 2021

Right now some of the theme files use inline scripts, this is not compatible with blocking inline scripts in CSP policy.

@d-gibbs
Copy link

d-gibbs commented Dec 21, 2021

As a workaround, you can inject a CSP nonce into the Model.JavaScriptTagAttributes property of the FormViewModel before passing to Html.RenderFormsScripts...

This can be done in: \Views\Partials\Forms\Themes\default\Script.cshtml (line 54):

var tagAttributes = Model.JavaScriptTagAttributes ?? new Dictionary<string, string>();

if (!tagAttributes.ContainsKey("nonce"))
{
    tagAttributes.Add("nonce", "request nonce value goes here...");
}

@Html.RenderFormsScripts(Url, Model, tagAttributes)

This will ensure that any scripts injected by Umbraco.Forms have been whitelisted.

@sussexrick
Copy link

sussexrick commented Jan 22, 2022

This was first requested in 2016 and shut down when I requested it again (#16). Umbraco is normally so good at being secure by default. It would be really helpful to see these inline scripts finally moved into separate .js files by default.

@AndyButland
Copy link

We've converted the instances of inline scripts into referenced files now, will be available in 8.11.0 and 9.3.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants