No edit summary |
No edit summary |
||
| Line 3: | Line 3: | ||
Example of the meta tag you want to inject: | Example of the meta tag you want to inject: | ||
<meta http-equiv="Content-Security-Policy" content="default-src 'self'"> | <meta http-equiv="Content-Security-Policy" content="default-src 'self'"> | ||
The above meta tag knocks out inline scripts and inline styles. Even if knocking out inline scripts might be ok (because standard Turnkey does not depend on them), knocking out inline styles is more problematic since | The above meta tag knocks out inline scripts and inline styles. Even if knocking out inline scripts might be ok (because standard Turnkey does not depend on them), knocking out inline styles is more problematic since Bootstrap and Angularjs depend on the need to change styles dynamically via DOM manipulation. See this: https://stackoverflow.com/questions/42401952/inline-style-error-with-content-security-policy-and-javascript | ||
A more realistic security policy meta tag is this: | A more realistic security policy meta tag is this: | ||
<meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline' 'self'; default-src 'self'"> | <meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline' 'self'; default-src 'self'"> | ||
If the file is found, the contents are read and injected after the standard meta tags. | If the file is found, the contents are read and injected after the standard meta tags. | ||
Use the [[AssetsTK]] strategy to inject your file into the application. | Use the [[AssetsTK]] strategy to inject your file into the application. | ||
[[Category:MDriven Turnkey]] | [[Category:MDriven Turnkey]] | ||
Revision as of 05:55, 14 July 2023
To inject extra meta tags into your Turnkey application, create a file like this:
Views/EXT_OverridePages/__ExtraMetaTags.cshtml
Example of the meta tag you want to inject:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
The above meta tag knocks out inline scripts and inline styles. Even if knocking out inline scripts might be ok (because standard Turnkey does not depend on them), knocking out inline styles is more problematic since Bootstrap and Angularjs depend on the need to change styles dynamically via DOM manipulation. See this: https://stackoverflow.com/questions/42401952/inline-style-error-with-content-security-policy-and-javascript
A more realistic security policy meta tag is this:
<meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline' 'self'; default-src 'self'">
If the file is found, the contents are read and injected after the standard meta tags.
Use the AssetsTK strategy to inject your file into the application.