Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Any form of CSP will break the admin plugin #385
When deploying CSP in the HTTP headers through the .htaccess file it will break the admin plugin, even with 'unsafe-eval' enabled. Unsure what the exact root cause is. From the firebug console it seems the CSP policy is blocking the loading of a resource based on the script-src policy, which unless the admin plugin requires external scripts should be fine (doesn't seem that the admin plugin actually calls an external script as far as I can judge).
Did you look at the new session options? Maybe they will help with this?
I'm new with Grav. I started easily but now, when I want to optimize, I can not use anymore this plugin with CSP.
it would be great,
//horrible but urgently workaround header("Content-Security-Policy : default-src 'self' 'unsafe-inline';"); //or better with a nonce declaration header("Content-Security-Policy : default-src 'self' 'nonce-cf22c45833a1453b77429cd9e63993da';"); // with script declaration: <script nonce=cf22c45833a1453b77429cd9e63993da>
A good introduction: www.html5rocks.com content-security-policy