Inline javascript not compatible with strict CSP

[p4tpr0]

Hello,

I've just installed FIR on an existing web server on which Content Security Policy is quite tight. In particular script-src is set to 'self' + our CDN server.
The "New event" button is not a regular href link, it's a call to Javascript function location.href.
Also, many page elements are loaded via inline javascript, like graphs for example.

None of these will work with tight/strict CSP. I need to add 'unsafe-inline' to CSP's header settings in order to display pages properly and being able to use "New event" button.

[Augustin-FL]

Hi,

Stats pages were completly reworked, and are not using inline javascript anymore.

Yet some pages of FIR still use inline CSS/Javascript, and/or jquery (which itself is not compatible with strict CSP). A progressive phase-out of jquery is ongoing, but it will likely take time for it to be completed.