Skip to content

Remove the footer's inline script and SVG's inline style (CSP)#1985

Open
maebeale wants to merge 3 commits into
mainfrom
maebeale/footer-csp-inline-cleanup
Open

Remove the footer's inline script and SVG's inline style (CSP)#1985
maebeale wants to merge 3 commits into
mainfrom
maebeale/footer-csp-inline-cleanup

Conversation

@maebeale

@maebeale maebeale commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

🤖 suggested review level: 3 Read 📖 small markup→Stimulus refactor in the global footer + one utility-class swap

Why

Every page logs two report-only CSP violations from the global layout:

  • the floating help button's inline <script> (script-src)
  • the SVG sprite's inline style= (default-src)

What

Following the #1948 precedent — fix the violating markup, keep the strict policy (no unsafe-inline):

  • Drive the FAB toggle with the existing dropdown controller (data-action="dropdown#toggle" + a payload param toggling hidden on the menu and rotate-45 on the button) — no new controller. Also gives close-on-outside-click / escape for free.
  • Move the SVG sprite's positioning to utility classes (absolute w-0 h-0 overflow-hidden).

Notes

  • Verified in a headless browser: both violations gone; the FAB still opens/closes.
  • The one remaining console CSP entry is a <style> injected by a JS library (Turbo's progress bar), which would need a CSP nonce to silence — out of scope here.

Copilot AI review requested due to automatic review settings July 14, 2026 21:51

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@maebeale maebeale marked this pull request as ready for review July 14, 2026 22:29
@maebeale maebeale requested a review from jmilljr24 July 14, 2026 22:29

@jmilljr24 jmilljr24 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use the dropdown controller instead of adding a new one?

maebeale and others added 2 commits July 15, 2026 08:35
Every page (now including the resource-preview flow this PR reworks) logged two
report-only CSP violations from the global layout: the floating help button's
inline <script> (script-src) and the SVG sprite's inline style= (default-src).

Follow the #1948 precedent — fix the violating markup, keep the strict policy:
move the FAB toggle to a Stimulus controller (fab) and the sprite's positioning
to utility classes. The remaining console CSP entry is a <style> injected by a
JS library (Turbo's progress bar), which would need a CSP nonce to silence.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Per review feedback, drop the new fab controller and drive the floating
help menu with the existing dropdown controller instead — it already
toggles class strings on elements by id via a payload param, which is
exactly the menu-hidden / button-rotate toggle the FAB needs (and it adds
click-outside / escape-to-close for free). Reverts the AGENTS.md controller
count and index.js registration for the removed controller.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@maebeale maebeale force-pushed the maebeale/footer-csp-inline-cleanup branch from b8bd27d to 4930cdc Compare July 15, 2026 12:38
Copilot AI review requested due to automatic review settings July 15, 2026 12:38

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@maebeale

Copy link
Copy Markdown
Collaborator Author

🤖 From Claude: Good call — dropped the new fab controller and wired the footer help button to the existing dropdown controller instead (payload toggles hidden on the menu + rotate-45 on the button). Bonus: it now closes on outside-click/escape. Reverted the AGENTS.md count and index.js registration too.

Verifies the shared dropdown controller opens/closes the floating help
menu, guarding the CSP refactor that removed the inline script.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 15, 2026 12:41

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

<button id="fab-button"
type="button"
data-action="dropdown#toggle"
data-dropdown-payload-param='[{"fab-menu":"hidden"}, {"fab-button":"rotate-45"}]'

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 From Claude: Reusing dropdown's payload API instead of a bespoke controller: each object maps an element id to the class(es) to toggle — hidden on the menu, rotate-45 on the button. Same pattern as the accordion callers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants