-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MathJax 2.7.4; Requires CSP with 'unsafe-inline' and 'unsafe-eval' in script-src (and 'unsafe-inline' in style-src)! #1988
Comments
MathJax uses In your case you could put
in a file, say
for your configuration. That should prevent the use of |
Thank you for the prompt response! Now I can get away without Thanks for posting that snippet because I have 0 Javascript knowledge. Now I am fiddling with the code to see what works so that |
I updated the code so that you use an external file so that you don't need inline scripts. See if that is better. |
Thank you! I will close this issue. I see that I need Thanks again. |
@kaushalmodi Can I please check if your webpage's equations render smoothly? Mine takes a while to render and then complain that a file cannot be loaded (e.g. Did you have this issue too? Any help you can give will be greatly appreciated! Thank you.
|
Sure. Here's one of the examples: https://ox-hugo.scripter.co/test/real-examples/multifractals-in-ecology-using-r/. You can review the code related to MathJax in the site source. And here's my _headers containing the CSP: https://github.com/kaushalmodi/ox-hugo/blob/master/doc/static/_headers If CSP is causing that failure to load the script, you should see CSP failure messages in the browser dev console. I use Firefox and I just do Ctrl + Shift + I and click on the Console tab. Also, note I don't set the CSP in meta tags as you do. So I am not sure if that works. But if you see CSP errors in the Console, that should confirm that. |
Thank you @kaushalmodi. Your help is greatly appreciated. I followed your advice and eventually figured out that the server is blocking some modules from loading. Fixing the server setting is beyond my skillset and time constraints (luckily, I have another server to use). Thanks again for your help. |
Any progress on removing the requirement for |
I'm facing the same issue as jamiebikies above: can the requirement for |
It's still unclear from the documentation how to disable the use of inline CSS in MathJax 3.x. Ideally we could have the option to use an external CSS file and an example of the default CSS rules. |
While I understand the desire for this, I don't see that it is going to be possible, since the in-line styles are very dependent on the content, and because the layout requires very small tolerances, you can't just substitute nearby values for these. The only hope for it would be to pre-process the math on the server (rather than running MathJax in the browser), and collecting all the specific style values into a CSS file. That could be done, but probably requires some significant adjustments to MathJax's internals, or alternatively, post-processing the resulting output to collect and remove the in-line styles. The latter is probably the easier approach and could be a nice project for a community contributor, if someone wanted to take that on. Note, however, that server-side processing makes some things more difficult (like matching the surrounding font size, using surrounding fonts for |
Following some of the suggestions here: mathjax/MathJax#1988
Hello,
Unless I set
'unsafe-eval'
in myscript-src
rule inContent-Security-Policy
in HTTP header, the MathJax font rendering does not work.. I see this error in the browser inspector without that:For now, I have added
'unsafe-eval'
eval to the headers to make MathJax work, but this is the page where I saw this issue: https://scripter.co/latex-in-html/.This is how I load MathJax:
The text was updated successfully, but these errors were encountered: