Inline JavaScript affecting Content Security Policy settings

[stevenwoodson]

Summary

Very happy with Twill overall, it's a great mix of boilerplate code to speed things up and an ability to customize to suit the needs of the project. There has been just one issue that I've not been able to overcome easily on my own and it's related to the templates used on the Dashboard and module index/form pages. There appears to be a good deal of inline JavaScript involved on these page templates (layouts.form, layouts.main, etc), when a Content Security Policy (CSP) is in place the default behavior is that inline scripts are blocked for improved security.

There are a few options to bypass this restriction but none are ideal:

• Use unsafe-inline but that largely defeats the purpose of a CSP.
• Use nonce which is not possible because these template files are not replaceable without editing the code in the vendor folder.
• Use a hash for every inline script which necessitates a hash for every page including every form for each record. I tried this as a temporary measure but gave up after 15 such hashes added and still not fully being able to use the admin and editor. Every new record created necessitated a new hash to be added.

Describe the solution you'd like

From my perspective there are two options that would help with this issue:

• Make it possible to completely replace the default layouts, this way folks have a way to customize the dashboard and also the option to affect change on the inline script tags
• Change the inline scripts to be JavaScript files loaded separately instead.

Additional context

I'm running Twill 2.5.2, no significant customizations have been made and I can confirm this is an issue both with subdomain Twill admin as well as subfolder.

Thanks again for all you do!