The rw_common folder itself should be fine. The problem listed above is you have a style= on the image. You’re not allowed to have inline styles with a content security policy.
inline scripts are not allowed either. They would need to be placed in a file placed within a trusted directory or domain.
CSP can never allow in-line anything as it’s purpose is to direct the browsers to block things that are subject to certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. In-line stuff is subject to these kind of attacks.
Thanks for the reply. This was a one page test site made with RapidWeaver 5. So, it looks like a CSP is not possible for an out of the box RapidWeaver generated site. I am actually trying to make my site GDPR compatible, but am not clear if a CSP is required.
GDPR and Content Security Policy aren’t really related specifically. However some people do use the CSP features built into modern browsers as a way to guarantee that their content doesn’t violate the GDPR.
Content Security Policy is a set of restrictions you can place on the content of the website. This is a technical feature of browsers – no just an agreement. Your site will ask the browser to abide by these restrictions. This is especially useful if your site serves up content that might be coming from elsewhere or from users of the site.
Content Security Policies can have a lot of details. Here’s a pretty simple one that I lifted from an article at Smashing Magazine:
notice that this policy has separate definitions for several different types of content style-src, script-src, etc. and for each it defies which places that type of content can originate from.
your policy content="default-src ‘self’ is very very restrictive. it means that a lot of types of very normal and very safe content will be disallowed.
in the case above an “inline” style is used – that’s one where the style is put right into the page itself. this is very advantageous because it’s very fast – especially important for images. on a page with user-generated content this might be disallowed – because you would not want users to modify the style of the page and hide things other users should see – but on a page generated by RapidWeaver there’s usually no reason to disallow that. so specifying a style-src of ‘unsafe-inline’ (despite the scary sounding name) is probably the way to go.
the Content Security Policy specification was written to make it very difficult to specify something generic, or to write a policy without really understand how they work. i’m fairly certain they did this on purpose. you’ll probably have to do a bit of reading to understand each of the parts and write a policy that is not too restrictive for your content – but restrictive enough to be safe or to abide by the GDPR if that’s your goal.
here are some links to some good details and examples: