Content Security Policy: inline scripts getting blocked #1432
Replies: 2 comments
-
|
Hi @jcdarwin, Sorry for the trouble you're experiencing. The sample formatting templates included with Freeform are there for convenience and will not work in every scenario, unfortunately. For this reason, we always advise developers to use them as a starting point or at least clone the one(s) you wish to use so that it can be adjusted for your own needs and protect you from any changes we make to them in future versions (we do try to minimize this though). 🙂 For Freeform to handle this scenario, I believe it would need to automatically detect if and which sample formatting template was being used and then insert a call to a script for it. I don't know how feasible this is or how much more it muddies up the water for others. However, I have noted this and we'll see if there is an elegant solution we can apply here. 🙂 |
Beta Was this translation helpful? Give feedback.
-
|
This has now been changed in Freeform 5.6+ 🙂 All sample formatting templates now access scripts and CSS via URL. |
Beta Was this translation helpful? Give feedback.
-
What happened?
Inline scripts are added to the page (e.g. the foundation-6/_main.js script), and these break content security policy, such that the form cannot be submitted, and fails silently for the user.
See the attached screenshot which shows the error in the Chrome dev tools:
The ideal behaviour would be to include this script from a file, rather than including it inline in the page, or allowing the addition of a nonce.
How can we reproduce this?
script-src 'self'For the time being, my workaround is to copy the foundation-6/_main.js script, and include it inline from one of my other templates, adding a nonce to it (using the born05/craft-csp plugin to generate the nonce)
Versions
Beta Was this translation helpful? Give feedback.
All reactions