Hans Karlsen (talk | contribs) (Created page with "To inject extra meta tags into your tunrkey application create a file like this: Views/EXT_OverridePages/__ExtraMetaTags.cshtml Example of meta tag you want to inject: <meta...") |
Hans Karlsen (talk | contribs) No edit summary |
||
Line 3: | Line 3: | ||
Example of meta tag you want to inject: | Example of meta tag you want to inject: | ||
<meta http-equiv="Content-Security-Policy" content="default-src 'self'"> | <meta http-equiv="Content-Security-Policy" content="default-src 'self'"> | ||
The above meta tag does however knock out inline scripts and inline styles. Even if knocking out inline scripts might be ok (because standard Turnkey does not depend on them) knocking out inline styles are more problematic since boostrap and angularjs depend on the need to dynamically change styles via DOM manipulation. See this https://stackoverflow.com/questions/42401952/inline-style-error-with-content-security-policy-and-javascript | |||
A more realistic security policy meta tag is this: | |||
<meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline' 'self'; default-src 'self'"> | |||
If the file is found the contents is read and injected after the standard meta tags. | If the file is found the contents is read and injected after the standard meta tags. | ||
Use the [[AssetsTK]] strategy to inject your file into the application | Use the [[AssetsTK]] strategy to inject your file into the application |
Revision as of 08:50, 2 June 2021
To inject extra meta tags into your tunrkey application create a file like this:
Views/EXT_OverridePages/__ExtraMetaTags.cshtml
Example of meta tag you want to inject:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
The above meta tag does however knock out inline scripts and inline styles. Even if knocking out inline scripts might be ok (because standard Turnkey does not depend on them) knocking out inline styles are more problematic since boostrap and angularjs depend on the need to dynamically change styles via DOM manipulation. See this https://stackoverflow.com/questions/42401952/inline-style-error-with-content-security-policy-and-javascript
A more realistic security policy meta tag is this:
<meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline' 'self'; default-src 'self'">
If the file is found the contents is read and injected after the standard meta tags.
Use the AssetsTK strategy to inject your file into the application