-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refused to apply inline style because it violates the following Content Security Policy directive #191
Comments
In my opinion, the better resolution would be to take JS and CSS out of the templates and provide linkcheck JS/CSS files, that would be included in |
Sure, I'd be happy to contribute. I'll find some time and take care of it - may reach out to you privately for some questions. |
Hi Claudep, I'm in the code and have two questions for you: 1 - So it appears there's this inline style that appears because base extends admin/changelists.html.
If you look here:
I don't know enough about what admin/changelist does to fix that. Let me know if you have an idea. 2 - I noticed that the tables dont come out clean in the reports because each row is a table. While I'm at it, do you mind if I pull that table tag out of the loop so it's a single table with a single set of bold tags at the very top of the table - and then repeating, but more discreet (perhaps non bolded italic), td tags with each object? Let me know. |
Difficult to say. Looks like this targets the first checkbox that is used to select all lines. I guess you can try by setting ModelAdmin.actions_on_top and ModelAdmin.actions_on_bottom to False on some admin model, then see what happens if this line is removed. I'm sure Django devs would be open to remove that if this is no longer useful, or move that in a CSS file (by conditionally setting a specific class).
Please do, as long as no regressions happen. Maybe in a separate commit or PR. |
I didn't follow the whole discussion, but is this related to the main linkcheck table? If so, any work done here would be superfluous after #189 is merged, right? |
Yeah, that would most likely fix at least part of the CSP issue I'm having - and would also make it unnecessary to fiddle with the table. I'm pretty much done with moving the static files and was going to send the PR today - but if you prefer I can wait for your PR to go through first. Let me know. |
Hey sorry about the change of hearts - I had the code open and don't like leaving things unfinished so I just finished it off and sent a pull request. This way, if you decide to move on with #189 - then you can do it in your own time. Also - now that everything renders as it should, the table is nice and straight (I was seeing the tables with uneven ends, but it turns out it had to do with some styles not being loaded) so I don't think there's any need to further fiddle with that on my part. Hope that works, let me know if there's any issues with the provided changes. |
Sorry, I totally forgot about the existing PR. Aging... 💀 |
I'm (perhaps unwittingly) using some pretty restrictive CSP settings, requiring a nonce for inline scripts and styles. I'm getting three errors related to this:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src <edited out> Either the 'unsafe-inline' keyword, a hash (<edited out>), or a nonce ('nonce-...') is required to enable inline execution.
Two errors like this for style and one for script.
I went ahead and played in the code of the package, locally and added:
nonce={{ CSP_NONCE }}
in report.html at line 6 and 64, within the script and style tags respectively and it resolved 2 out of the 3 errors. I'm not sure where the 3rd error is coming from but it might be from the inline styles elsewhere.
Is there a more elegant way around that?
The text was updated successfully, but these errors were encountered: