Inline javascript not compatible with strict CSP

Question

Inline javascript not compatible with strict CSP

Opened this issue 6 years ago · 0 comments

Hello,

I've just installed FIR on an existing web server on which Content Security Policy is quite tight. In particular script-src is set to 'self' + our CDN server.
The "New event" button is not a regular href link, it's a call to Javascript function location.href.
Also, many page elements are loaded via inline javascript, like graphs for example.

None of these will work with tight/strict CSP. I need to add 'unsafe-inline' to CSP's header settings in order to display pages properly and being able to use "New event" button.