CSP and a11y.css

[nico3333fr]

Hi there,

as promised a loooong time ago, here are CSP directives needed to make work a11y.css on website with Content Security Policy enabled.

Important to know: we should NOT udpate our CSP policies to make the bookmarklet work.

However, browsers still have some bugs (Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1215108 && https://bugzilla.mozilla.org/show_bug.cgi?id=866522, Chrome : https://bugs.chromium.org/p/chromium/issues/detail?id=595004 && https://bugs.chromium.org/p/chromium/issues/detail?id=233903)

How to

I've just used http://csp.nicolas-hoffmann.net/ (code of poc is here https://github.com/nico3333fr/CSP-useful/tree/master/csp-check), and tested directives.

I've tested on Firefox and Chrome (I couldn't test on Edge, doesn't support bookmarklets ???).

The directives to fix it

I had to add 'unsafe-inline' value to script-src and https://rawgit.com/ value to style-src directives, and it seemed to be ok for Chrome and Firefox.

So while waiting for browsers to fix these bugs, here is what you need to add. ;)
Nicolas

[ffoodd]

This is very interesting, thank you!

I'll need a little more help with these: how do I add these fixes? Do I need to modify the CSS file header, or do I only mention those fixes in the README.md?

[nico3333fr]

You don't have to modify the CSS file header, it is up to site creators to update their CSP headers.

So I suppose it doesn't need more than a short sentence in the readme, just in case of :)

[ffoodd]

Fine, let's do it :)

Thank you!

[nico3333fr]

A small typo in english version:

Let’s be honest, in theory you should not update your CSP directives to allow directives.

Let’s be honest, in theory you should not update your CSP directives to allow bookmarklets.

Thanks ;)

[ffoodd]

Oh indeed, thanks :D