Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove in-line script from header #1004

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

remove in-line script from header #1004

wants to merge 2 commits into from
+10 −11

Conversation

davidgs
Copy link
Contributor

@davidgs davidgs commented Oct 21, 2024

Issue

An in-line script is added to the header, which cannot be executed if the Content-Security policy is anything but unsafe-inline. unsafe-inline should never be allowed.

This PR adds the script to the main application.js script, which is hashed, and so removes the issue.

fixes #1002

Description

Removes the in-line script

<script>
      theme = localStorage.getItem('theme-scheme') || localStorage.getItem('darkmode:color-scheme') || 'light';
      if (theme == 'system') {
        if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches) {
          theme = 'dark';
        } else {
          theme = 'light';
        }
      }
      document.documentElement.setAttribute('data-theme', theme);
    </script>

from baseof.html and adds it to the `application.js script.

Test Evidence

prior to change:

davidgs.com/:68 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://app.posthog.com/ *.googletagmanager.com https://cdn.userfront.com https://commento.davidgs.com:8088  *.unpkg.com apis.google.com *.googleapis.com cdn.polyfill.io https://buttons.github.io  cdn.jsdelivr.net *.zencdn.net https://cdnjs.cloudflare.com https://*.google-analytics.com https://*.statcounter.com". Either the 'unsafe-inline' keyword, a hash ('sha256-WiE2LPSnZlTiP9NnrQN14OnMKI2ild8fGH0n+PhofS0='), or a nonce ('nonce-...') is required to enable inline execution.

After change: no error.

@netlify Netlify
Copy link

netlify bot commented Oct 21, 2024
edited
Loading

Deploy Preview for toha-ci ready!

Name Link
🔨 Latest commit 56787e0
🔍 Latest deploy log https://app.netlify.com/sites/toha-ci/deploys/6716becb7560780008383c56
😎 Deploy Preview https://deploy-preview-1004--toha-ci.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@davidgs davidgs mentioned this pull request Oct 21, 2024
Open
6 tasks
@joyao joyao added the bug-fix Bug fixes label Oct 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug-fix Bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

script in based.html can't be executed
2 participants
@davidgs @joyao