Move inline JavaScript to support a strict CSP-SOP

  • If you configure website to reach maximum score from observatory.mozilla.org , then some Shariff wrapper scripts don’t work: Inline code.

    This effect seems to avoid working the “Print” button.

    • This topic was modified 2 years, 8 months ago by narcisgarcia. Reason: Fixed tags
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Jan-Peter

    (@starguide)

    That is correct. The print button simply uses window.print() and if you forbid inline code via CSP, that won’t work. That will be a classical “won’t fix” since it would be totally unreasonable to include an extra .js file just for this one minimal function. Especially because WordPress itself will not work without ‘unsafe-inline’ and ‘unsafe-eval’ in the first place. If you really need to be that strict, just simply don’t use the print button. It’s function is merely a sometimes convenient offer that can easily be circumvented by using the native browser options.

    If you really, really, really need a strict CSP and you really, really, really need the print button, you could try to work something out with script-src-attr, but that is still not supported by all browsers. Like I said, you probably would be better of just getting rid of the print button.

    Cheers
    JP

    Thread Starter narcisgarcia

    (@narcisgarcia)

    With this policy, you can be contributing to WordPress don’t work without ‘unsafe-inline’ and ‘unsafe-eval’.

    Some people we are trying to promote a safer Internet web.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Move inline JavaScript to support a strict CSP-SOP’ is closed to new replies.