0

Hi All, We have an app which doesn't use any third party widgets, and we want to set CSP to  default-src: self We follow the instruction here https://docs.mendix.com/howto/security/csp/ and move the js script to external file. However, when the app runs, we got error that  Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' https://sprintr.home.mendix.com https://*.googleapis.com https://maxcdn.bootstrapcdn.com https://fonts.gstatic.com". Either the 'unsafe-inline' keyword, a hash ('sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. And checking further, it is caused by "ValidationMessage" widget since the widget try to set style inline declaredClass: "mxui.widget.ValidationMessage", buildRendering: function() { this.domNode = r.create("div", { class: "alert alert-danger", style: "display: none" }); const e = s().makeShareId(this.mxform, this.mxid); this.own(o.subscribe(e, (e=>this._showMessage(e)))) }, Since the widget is quite important, so does it mean that we can only remove "unsafe-inline" for the script but still need it (unsafe-inline) for style style-src 'self' 'unsafe-inline' Do you know anyway to remove the directive "unsafe-inline" also for style?   Best regards,

asked 2024-06-07

0 answers