forked from fedi/mastodon
Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679)
* Make sure wicg-inert doesn't rely on inline CSS * Remove unsafe-inline from style-src
This commit is contained in:
parent
0d62e09707
commit
e1629a7758
|
@ -26,6 +26,8 @@
|
||||||
= javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous'
|
= javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous'
|
||||||
= csrf_meta_tags
|
= csrf_meta_tags
|
||||||
|
|
||||||
|
= stylesheet_link_tag '/inert.css', skip_pipeline: true, media: 'all', id: 'inert-style'
|
||||||
|
|
||||||
- if Setting.custom_css.present?
|
- if Setting.custom_css.present?
|
||||||
= stylesheet_link_tag custom_css_path, media: 'all'
|
= stylesheet_link_tag custom_css_path, media: 'all'
|
||||||
|
|
||||||
|
|
|
@ -22,7 +22,7 @@ Rails.application.config.content_security_policy do |p|
|
||||||
p.frame_ancestors :none
|
p.frame_ancestors :none
|
||||||
p.font_src :self, assets_host
|
p.font_src :self, assets_host
|
||||||
p.img_src :self, :https, :data, :blob, assets_host
|
p.img_src :self, :https, :data, :blob, assets_host
|
||||||
p.style_src :self, :unsafe_inline, assets_host
|
p.style_src :self, assets_host
|
||||||
p.media_src :self, :https, :data, assets_host
|
p.media_src :self, :https, :data, assets_host
|
||||||
p.frame_src :self, :https
|
p.frame_src :self, :https
|
||||||
p.manifest_src :self, assets_host
|
p.manifest_src :self, assets_host
|
||||||
|
|
11
public/inert.css
Normal file
11
public/inert.css
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
[inert] {
|
||||||
|
pointer-events: none;
|
||||||
|
cursor: default;
|
||||||
|
}
|
||||||
|
|
||||||
|
[inert], [inert] * {
|
||||||
|
user-select: none;
|
||||||
|
-webkit-user-select: none;
|
||||||
|
-moz-user-select: none;
|
||||||
|
-ms-user-select: none;
|
||||||
|
}
|
Loading…
Reference in a new issue