Forum
Content Security Policy and admin area
In a previous thread Mike asked about the configuration of the admin area and how it works when you have a Content Security Policy, as unless you specifically allow inline scripts and styles, things go a little screwy.
I didn't want to set unsafe-inline
across the whole site, so I dug into my Apache config and came up with the following block for my .htaccess
that will set different headers depending on the request path. I'm sure something similar can be achieved with other web servers.
<IfModule mod_headers.c>
# If we're in the admin area, allow unsafe-inline scripts and styles. Perch has a couple of dynamically generated blocks we need.
<If "%{REQUEST_URI} =~ m#/perch/.*#">
Header set Content-Security-Policy: "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
</If>
<Else>
Header set Content-Security-Policy: "default-src 'self';"
</Else>
</IfModule>
Hope this helps someone.