discourse/lib/content_security_policy
David Taylor 2457553d0a
FIX: Avoid flash-of-unstyled-content in Safari with bug workaround (#25462)
Safari has a bug which means that scripts with the `defer` attribute are executed before stylesheets have finished loading. This is being tracked at https://bugs.webkit.org/show_bug.cgi?id=209261.

This commit works around the problem by introducing a no-op inline `<script>` to the end of our HTML document. This works because defer scripts are guaranteed to run after inline scripts, and inline scripts are guaranteed to run after any preceding stylesheets.

Technically we only need this for Safari. But given that the cost is so low, it makes sense to include it everywhere rather than incurring the complexity of gating it by user-agent.
2024-01-29 17:20:44 +00:00
..
builder.rb SECURITY: Don't reuse CSP nonce between anonymous requests 2023-07-28 12:53:44 +01:00
default.rb FIX: Avoid flash-of-unstyled-content in Safari with bug workaround (#25462) 2024-01-29 17:20:44 +00:00
extension.rb DEV: Make csp cache work like other caches (#20818) 2023-03-27 09:22:38 -05:00
middleware.rb SECURITY: Don't reuse CSP nonce between anonymous requests 2023-07-28 12:53:44 +01:00