Description
Hi there, I'm not an CSP expert.
I configured CSP with self and required domains (for script style and fonts) and everything was gr8 until DebugToolbar was turned on . Even if all of toolbar's tabs seams to work ok... there are errors in console:
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). Source: onclick attribute on A element. [only once]
Content Security Policy: The page’s settings blocked the loading of a resource at self (“style-src”). [repated when tab is changed]
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). [repated when tab is changed]
[nginx/php7.2/debian + ff / iridium]
... actually iridium (chrome) gave me more details:
?debugbar:49 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' https://maxcdn.bootstrapcdn.com/ https://use.fontawesome.com/ 'nonce-fd68498a9d2a9ea28cd45f26'". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.
xhttp.onreadystatechange @ ?debugbar:49
I think problem is not with first html code which is generated by DebugToolbar but when it tried to apply additional scripts/styles.
Activity