[PR #3058] [MERGED] Removed unsafe-inline JS from CSP and other fixes #3103

New Issue

Closed

opened 2025-10-09 18:17:14 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2025-10-09 18:17:14 +03:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/3058
Author: @BlackDex
Created: 12/28/2022
Status: ✅ Merged
Merged: 1/9/2023
Merged by: @dani-garcia

Base: main ← Head: remove-inline-js

---

📝 Commits (1)

• 613b251 Removed unsafe-inline JS from CSP and other fixes

📊 Changes

18 files changed (+946 additions, -718 deletions)

View changed files

📝 src/api/admin.rs (+14 -26)
📝 src/api/web.rs (+11 -0)
📝 src/config.rs (+15 -0)
➕ src/static/scripts/404.css (+26 -0)
➕ src/static/scripts/admin.css (+45 -0)
➕ src/static/scripts/admin.js (+65 -0)
➕ src/static/scripts/admin_diagnostics.js (+219 -0)
➕ src/static/scripts/admin_organizations.js (+54 -0)
➕ src/static/scripts/admin_settings.js (+180 -0)
➕ src/static/scripts/admin_users.js (+246 -0)
📝 src/static/scripts/bootstrap.css (+0 -2)
📝 src/static/templates/404.hbs (+2 -26)
📝 src/static/templates/admin/base.hbs (+2 -94)
📝 src/static/templates/admin/diagnostics.hbs (+13 -194)
📝 src/static/templates/admin/organizations.hbs (+9 -36)
📝 src/static/templates/admin/settings.hbs (+11 -154)
📝 src/static/templates/admin/users.hbs (+29 -173)
📝 src/util.rs (+5 -13)

📄 Description

• Removed unsafe-inline for javascript from CSP. The admin interface now uses files instead of inline javascript.
• Modified javascript to work not being inline.
• Run eslint over javascript and fixed some items.
• Added a to_json Handlebars helper. Used at the diagnostics page.
• Changed AdminTemplateData struct to be smaller. The config was always added, but only used at one page. Same goes for can_backup and version.
• Also inlined CSS.
  We can't remove the unsafe-inline from css, because that seems to
  break the web-vault currently. That might need some further checks.
  But for now the 404 page and all the admin pages are clear of inline scripts and styles.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/3058 **Author:** [@BlackDex](https://github.com/BlackDex) **Created:** 12/28/2022 **Status:** ✅ Merged **Merged:** 1/9/2023 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `main` ← **Head:** `remove-inline-js` --- ### 📝 Commits (1) - [`613b251`](https://github.com/dani-garcia/vaultwarden/commit/613b2519edc53dfcc7f82ea4e402ff846ab9cc04) Removed unsafe-inline JS from CSP and other fixes ### 📊 Changes **18 files changed** (+946 additions, -718 deletions) <details> <summary>View changed files</summary> 📝 `src/api/admin.rs` (+14 -26) 📝 `src/api/web.rs` (+11 -0) 📝 `src/config.rs` (+15 -0) ➕ `src/static/scripts/404.css` (+26 -0) ➕ `src/static/scripts/admin.css` (+45 -0) ➕ `src/static/scripts/admin.js` (+65 -0) ➕ `src/static/scripts/admin_diagnostics.js` (+219 -0) ➕ `src/static/scripts/admin_organizations.js` (+54 -0) ➕ `src/static/scripts/admin_settings.js` (+180 -0) ➕ `src/static/scripts/admin_users.js` (+246 -0) 📝 `src/static/scripts/bootstrap.css` (+0 -2) 📝 `src/static/templates/404.hbs` (+2 -26) 📝 `src/static/templates/admin/base.hbs` (+2 -94) 📝 `src/static/templates/admin/diagnostics.hbs` (+13 -194) 📝 `src/static/templates/admin/organizations.hbs` (+9 -36) 📝 `src/static/templates/admin/settings.hbs` (+11 -154) 📝 `src/static/templates/admin/users.hbs` (+29 -173) 📝 `src/util.rs` (+5 -13) </details> ### 📄 Description - Removed `unsafe-inline` for javascript from CSP. The admin interface now uses files instead of inline javascript. - Modified javascript to work not being inline. - Run eslint over javascript and fixed some items. - Added a `to_json` Handlebars helper. Used at the diagnostics page. - Changed `AdminTemplateData` struct to be smaller. The `config` was always added, but only used at one page. Same goes for `can_backup` and `version`. - Also inlined CSS. We can't remove the `unsafe-inline` from css, because that seems to break the web-vault currently. That might need some further checks. But for now the 404 page and all the admin pages are clear of inline scripts and styles. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

OVERLORD added the pull-request label 2025-10-09 18:17:14 +03:00

OVERLORD closed this issue 2025-10-09 18:17:14 +03:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#3103