On Craft 2.x, is it a known limitation that we must allow unsafe-inline for script-src in the Content-Security-Policy? My admin dashboard fails to load when I don't allow it.
...Trying to get a high grade on Mozilla Observatory :)
Asked
Active
Viewed 948 times
1 Answers
5
I implemented this recently and what I ended up doing is return the content security headers using PHP. Depending on the request path (is it a CP URL or not?), we send CSP headers with unsafe-inline and unsafe-eval or not.
Of course, the CP is still unsecured, but what you can do is to specify a custom domain for the CP in your configuration (using the "baseCpUrl" key). Something like "admin.yourwebsite.com" that only certain users can access (using IP filtering for example).
It is still not a perfect solution, but we cannot do anything at the CP level unfortunately. I hope this will not be an issue anymore in Craft 3.
kant312
- 496
- 3
- 13
unsafe-inline? – David Oliver Apr 09 '18 at 18:59