security: remove style-src 'unsafe-inline' from all CSP policies (#193) #197
No reviewers
Labels
No labels
bug
documentation
duplicate
e-copy
e-features
e-mobile
enhancement
f-coverage
f-forensic
f-perf
f-privacy
forensic
good first issue
help wanted
infra
invalid
phase-a
phase-b
phase-c
phase-d
phase-e
phase-f
phase-g
phase-h
priority-1
priority-2
priority-3
privacy
question
v5
v6
video-hardening
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: forgejo_admin/exifcleaner-web#197
Loading…
Add table
Reference in a new issue
No description provided.
Delete branch "fix/193-csp-unsafe-inline"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Closes #193
unsafe-inlinewith CSS classes and a CSSOM-based approach'unsafe-inline'fromstyle-srcin all three enforcement layers:vite.config.web.ts,nginx.conf,public/_headersWhat changed
ErrorExpansion.tsx— two static inline styles moved to CSS:style={{ cursor: "copy" }}→ new BEM modifier.file-table__error-text--copyable { cursor: copy }style={{ color: "var(--ec-color-text-secondary)" }}on.file-table__copy-hint→ declared in CSS directlySegmentedControl.tsx— dynamic transform migrated to a CSS custom property:style={{ transform: \translateX(${activeIndex * 100}%)` }}`useLayoutEffect+ref.current.style.setProperty("--ec-segment-offset", ...)— CSSOM property access, not an inline style attribute, so it does not requireunsafe-inline.segmented-control__indicatorgetstransform: translateX(var(--ec-segment-offset, 0%))— the default0%means zero flash on first paint (theuseLayoutEffectfires before the browser paints)CSP updates:
vite.config.web.ts—styleSrcnow mirrors thescriptSrcpattern: dev retains'unsafe-inline'(required for Vite HMR), prod emitsstyle-src 'self'onlynginx.conf— both CSP directives (root +/assets/) updatedpublic/_headers— Cloudflare Pages header updatedTest plan
yarn typecheck— pre-existing ffmpeg errors only (unrelated to this PR)yarn lint— passesyarn test— 568/568 passyarn build— production build emitsstyle-src 'self'(nounsafe-inline) in the CSP meta tagcursor: copy, copy-hint text is the correct secondary colour🤖 Generated with Claude Code
Replace the three inline-style uses that required unsafe-inline: - ErrorExpansion: move cursor:copy and color:var(--ec-color-text-secondary) into new BEM classes (file-table__error-text--copyable, copy-hint) - SegmentedControl: replace style={{transform}} with a CSS custom property (--ec-segment-offset) set via useLayoutEffect + ref.style.setProperty, which is a CSSOM call and does not require unsafe-inline Remove 'unsafe-inline' from style-src in all three enforcement layers: - vite.config.web.ts: split styleSrc so dev retains it (Vite HMR) but prod builds emit style-src 'self' only - nginx.conf: both CSP directives updated - public/_headers: Cloudflare Pages header updated Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>