Skip to content

Remove unsafe-inline from CSP and fix syntax errors #2536

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Remove unsafe-inline from CSP and fix syntax errors #2536

wants to merge 4 commits into from

Conversation

Copy link

Copilot AI commented Nov 22, 2025
edited
Loading

Description

Removes 'unsafe-inline' from the style-src Content Security Policy directive in the Caddy configuration, eliminating an XSS attack vector. Also corrects invalid double semicolons in the CSP syntax.

Fixes #(issue number for unsafe-inline CSP security risk)

Changes:

  • Removed 'unsafe-inline' from style-src directive in frontend/Caddyfile
  • Fixed double semicolons after default-src and script-src directives to single semicolons

The application uses only external stylesheets (Vite-bundled CSS, Bootstrap, Google Fonts, FontAwesome). No inline styles exist in source or build output.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • Documentation update

How Has This Been Tested?

  • New unit tests
  • New integrated tests
  • New component tests
  • New end-to-end tests
  • New user flow tests
  • No new tests are required
  • Manual tests (description below)
  • Updated existing tests

Verified existing unit tests pass and frontend builds successfully.

Checklist

  • I have read the CONTRIBUTING doc
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have already been accepted and merged

Further comments

CSP 'unsafe-inline' allows arbitrary inline styles, which can be injected by attackers. Modern frontend tooling (Vite, React) compiles all styles to external CSS files, making this directive unnecessary and a security liability.

Original prompt

This section details on the original issue you should resolve

<issue_title>Look into unsafe inline csp in caddy as it is a security risk</issue_title>
<issue_description></issue_description>

<agent_instructions>https://github.com/bcgov/copilot-instructions/blob/main/.github/copilot-upstream.md</agent_instructions>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 3 commits November 22, 2025 18:47
@DerekRoberts
Initial assessment of unsafe-inline CSP issue
b564d18 
Co-authored-by: DerekRoberts <4391600+DerekRoberts@users.noreply.github.com>
@DerekRoberts
Remove unsafe-inline from CSP style-src directive
6415d04 
Co-authored-by: DerekRoberts <4391600+DerekRoberts@users.noreply.github.com>
@DerekRoberts
Fix CSP syntax - remove double semicolons
551a7b5 
Co-authored-by: DerekRoberts <4391600+DerekRoberts@users.noreply.github.com>
Copilot AI changed the title [WIP] Look into unsafe inline CSP in Caddy due to security risk Remove unsafe-inline from CSP and fix syntax errors Nov 22, 2025
Copilot finished work on behalf of DerekRoberts November 22, 2025 18:55
Copilot AI requested a review from DerekRoberts November 22, 2025 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DerekRoberts DerekRoberts Awaiting requested review from DerekRoberts

At least 1 approving review is required to merge this pull request.

Assignees

@DerekRoberts DerekRoberts

Copilot code review Copilot

Labels

None yet

Projects

DevOps (NR)
Status: New

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Look into unsafe inline csp in caddy as it is a security risk

2 participants

@DerekRoberts