Unclear how to configure to be compatible with CSP directive `style-src 'self'`
DougReeder opened this issue · comments
Doug Reeder commented
The automatic inlining of CSS is cool, but it conflicts with the Content-Security-Policy style-src 'self'
which enforces a common and widely-recommended level of security.
Replacing
<style>{% getBundle "css" %}</style>
with
<link rel="stylesheet" href="{% getBundleFileUrl "css" %}">
in base.njk
will move the static CSS to a separate file. This should be documented in the README.
However,
<ol reversed class="postlist" style="counter-reset: start-from {{ (postslistCounter or postslist.length) + 1 }}">
is more challenging, as it can't be moved to a static CSS file. Replacing it with
{%- css %}.postlist { counter-reset: start-from {{ (postslistCounter or postslist.length) + 1 }} }{% endcss %}
<ol reversed class="postlist">
appears to be sufficient.
Zach Leatherman commented
Thank you for the PR—looks great!