podlove-ui icon indicating copy to clipboard operation
podlove-ui copied to clipboard

Published 20 hours ago verified publisher icon podlove

CSP, Content Security Policy

Open itst opened this issue 4 years ago • 2 comments

I am struggling to make the webplayer work on a site using CSP.

The issue seems to be that Podlove, once loaded from the whitelisted cdn.podlove.org location, and using a nonce'd episode config, sets out to create additional script, style, and iframe tags. The ifames contain additional script and style tags.

Console looks like this: https://imgur.com/T3m8khq

Before I get into an argument to 'unsafe-inline' everything, is CSP support anywhere on your roadmap?

itst avatar Dec 11 '20 12:12 itst

Hey Sascha, a lot of elements are created in a dynamic manner. Especially creating the sandboxing iframe without a src is a potential issue for CSP. So I guess there won't be any other way than unsafe-inline. If you know a compliant solution I would appreciate any help.

alexander-heimbuch avatar Dec 11 '20 13:12 alexander-heimbuch

I don‘t know about source-less iframes - could that work via Subresource Integrity?

This left aside, in the past I used this approach. Call the parent element with an additional attribute/parameter data-nonce and reuse this nonce on all instances created by the parent.

itst avatar Dec 11 '20 20:12 itst