To my surprise, it is possible to serve inline style blocks with Content Security Policy enabled:
- Hash everything between the starting and closing tag, including ‘\n’, e.g.
cat style.css | openssl sha256 -binary | openssl base64 - Prepend sha256- and use it as value for style-src
- Choose other sensible sources for your Content Security Policy header and tell
your server to add them. My nginx config uses something like this inside server{ }:
add_header Content-Security-Policy “default-src ‘self’; img-src ‘self’ data: ; style-src ‘self’ ‘sha256-lpsz9E6biQsTXICP2gywC3dzc+gLgUeiMPivKQ0W3U0=’;”;
You might not want to allow ‘data:’ as image source.
Posted in
programming
2020-11-26 12:12 UTC