Setting the Content-Security-Policy (CSP) HTTP header (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy), which is a good thing, means that inline <script> and <style> tags will be blocked by the browser unless either the unsafe-inline CSP policy is used, which is a bad thing, or a hash or nonce is used. Of those, the nonce method is simpler. That requires <script nonce="NONCE_FOR_THIS_RESPONSE"> and <style nonce="NONCE_FOR_THIS_RESPONSE">, matching the value of the nonce set in the response CSP header.
I don't think Deform supports this at present, and so some of its scripts/styles are blocked in this security environment. Would nonce support be reasonable to add? I imagine that Form could take a nonce parameter (default None); if present, its value could be propagated through all Deform .pt templates.
Setting the
Content-Security-Policy(CSP) HTTP header (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy), which is a good thing, means that inline<script>and<style>tags will be blocked by the browser unless either theunsafe-inlineCSP policy is used, which is a bad thing, or a hash or nonce is used. Of those, the nonce method is simpler. That requires<script nonce="NONCE_FOR_THIS_RESPONSE">and<style nonce="NONCE_FOR_THIS_RESPONSE">, matching the value of the nonce set in the response CSP header.I don't think Deform supports this at present, and so some of its scripts/styles are blocked in this security environment. Would nonce support be reasonable to add? I imagine that
Formcould take anonceparameter (defaultNone); if present, its value could be propagated through all Deform.pttemplates.