Hello PeterK25
The initial discussion here in French: https://www.rosariosis.org/forum/d/1276-d-placer-tous-les-scripts-inline-dans-les-emplacements-d-di-s-csp-xss
Content Security Policy's main purpose is to offer an easy way to prevent XSS (Cross Site Scripting).
There are other ways to prevent XSS, and if you find RosarioSIS to be vulnerable, please open an issue.
CSP will be implemented by RosarioSIS itself in two phases:
- v12.5 CSP banning inline JS and external domains JS report only
- v13.0 CSP activation actually blocking (and reporting)
I am in the process of updating every add-on, that is to move inline JS to JS files.
Next will do the same in RosarioSIS, plus developing a plugin to be notified of CSP reports (when some functionality is blocked by the browser). As mentioned above, this will come in version 12.5.
So, you may have CSP enforced in RosarioSIS in 2026 (13.0), not before as this represents a lot of work plus potentially breaking things that are now working as you have experimented.
Resources:
https://web.dev/articles/csp
