CSP Documentation missing style-src 'unsafe-eval'?

[kmindi]

Hi,

I have not yet created a MVP or anything similar to further dig down, but apparently the recommended settings https://docs.friendlycaptcha.com/#/csp miss a step about the style-src / style-src-elem.

The widget.module.js injects a style element, which is blocked on a page with the following Content-Security-Policy Error in Chrome:

widget.module.min.js:1 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-rD8UmTfY4BIp0ZHw'". Either the 'unsafe-inline' keyword, a hash ('sha256-DtJ0G5eArSV7tvvFUUeV7iyiWfBGflIkRW64/tmMWUk='), or a nonce ('nonce-...') is required to enable inline execution.

Thanks for confirming or looking into it. I'm happy to provide more information if needed and update this issue.

[merlinfuchs]

Hey, you are right that you have to add unsafe-inline to either style-src or default-src. I will look into why this isn't documented yet!

Alternatively, you can set skipStyleInjection and add your own style sheet (or copy ours) to style the widget. This way you can avoid the CSP issue.

[kmindi]

Thanks already!, Yet, adding it seems to have no effect because we use a nonce, but don't know why it does not work with that nonce, it should be set at all places...