Skip to content

Remove the footer's inline script and SVG's inline style (CSP)#1985

Open
maebeale wants to merge 1 commit into
mainfrom
maebeale/footer-csp-inline-cleanup
Open

Remove the footer's inline script and SVG's inline style (CSP)#1985
maebeale wants to merge 1 commit into
mainfrom
maebeale/footer-csp-inline-cleanup

Conversation

@maebeale

Copy link
Copy Markdown
Collaborator

🤖 suggested review level: 3 Read 📖 small markup→Stimulus refactor in the global footer + one utility-class swap

Why

Every page logs two report-only CSP violations from the global layout:

  • the floating help button's inline <script> (script-src)
  • the SVG sprite's inline style= (default-src)

What

Following the #1948 precedent — fix the violating markup, keep the strict policy (no unsafe-inline):

  • Move the FAB toggle to a fab Stimulus controller (data-action="fab#toggle", menu/button targets).
  • Move the SVG sprite's positioning to utility classes (absolute w-0 h-0 overflow-hidden).
  • AGENTS.md: Stimulus controller count 75 → 76, add fab.

Verified in a headless browser: both violations gone; the FAB still opens/closes. The one remaining console CSP entry is a <style> injected by a JS library (Turbo's progress bar), which would need a CSP nonce to silence — out of scope here.

Every page (now including the resource-preview flow this PR reworks) logged two
report-only CSP violations from the global layout: the floating help button's
inline <script> (script-src) and the SVG sprite's inline style= (default-src).

Follow the #1948 precedent — fix the violating markup, keep the strict policy:
move the FAB toggle to a Stimulus controller (fab) and the sprite's positioning
to utility classes. The remaining console CSP entry is a <style> injected by a
JS library (Turbo's progress bar), which would need a CSP nonce to silence.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 14, 2026 21:51

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@maebeale maebeale marked this pull request as ready for review July 14, 2026 22:29
@maebeale maebeale requested a review from jmilljr24 July 14, 2026 22:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants