Page MenuHomePhabricator

add Widgets extension compatibility with $wgCSPHeader CSP Content Security Policy
Open, Needs TriagePublic


Extension:Widgets is incompatible with $wgCSPHeader.

Browser console showing:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

content-security-policy: script-src 'unsafe-eval' blob: 'self' 'nonce-+S3UuO58ZVhPDsPQ9t+i' 'unsafe-inline'; default-src 'self' data: blob:; style-src 'self' data: blob: 'unsafe-inline'; img-src * data: blob:; object-src 'none'; report-uri /w/api.php?action=cspreport&format=json