Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remove in-line script from header #1004

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

davidgs
Copy link
Contributor

@davidgs davidgs commented Oct 21, 2024

Issue

An in-line script is added to the header, which cannot be executed if the Content-Security policy is anything but unsafe-inline. unsafe-inline should never be allowed.

This PR adds the script to the main application.js script, which is hashed, and so removes the issue.

fixes #1002

Description

Removes the in-line script

<script>
      theme = localStorage.getItem('theme-scheme') || localStorage.getItem('darkmode:color-scheme') || 'light';
      if (theme == 'system') {
        if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches) {
          theme = 'dark';
        } else {
          theme = 'light';
        }
      }
      document.documentElement.setAttribute('data-theme', theme);
    </script>

from baseof.html and adds it to the `application.js script.

Test Evidence

prior to change:

davidgs.com/:68 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://app.posthog.com/ *.googletagmanager.com https://cdn.userfront.com https://commento.davidgs.com:8088  *.unpkg.com apis.google.com *.googleapis.com cdn.polyfill.io https://buttons.github.io  cdn.jsdelivr.net *.zencdn.net https://cdnjs.cloudflare.com https://*.google-analytics.com https://*.statcounter.com". Either the 'unsafe-inline' keyword, a hash ('sha256-WiE2LPSnZlTiP9NnrQN14OnMKI2ild8fGH0n+PhofS0='), or a nonce ('nonce-...') is required to enable inline execution.

After change: no error.

Copy link

netlify bot commented Oct 21, 2024

Deploy Preview for toha-ci ready!

Name Link
🔨 Latest commit 56787e0
🔍 Latest deploy log https://app.netlify.com/sites/toha-ci/deploys/6716becb7560780008383c56
😎 Deploy Preview https://deploy-preview-1004--toha-ci.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@joyao joyao added the bug-fix Bug fixes label Oct 21, 2024
@hossainemruz
Copy link
Member

Hi @davidgs! Thank you for the PR. However, this inline script is necessary. Otherwise, when you are in dark mode and click on a new page, it will flash white background and then turn into dark mode again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug-fix Bug fixes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

script in based.html can't be executed
3 participants