Ghost: Public API injects inline script into page.

Created on 31 Aug 2016 · 6Comments · Source: TryGhost/Ghost

Issue Summary

When Public API is enabled in the Labs menu, Ghost injects an inline script tag into the page.

Steps to Reproduce

Go to https://example.com/ghost/settings/labs/
Enable the checkbox option for Public API
Refresh your homepage an inline script tag will be injected

Technical details

Injecting an inline script into the page is problematic for sites that want to use Content Security Policy. One of the biggest security benefits of CSP is the ability to effectively neutralise XSS attacks. To do this, the execution of inline script is blocked. This leaves Ghost users the option of using the Public API and disabling this security feature or not using the Public API.

Is it possible the contents of the script tag can be externalised? Example script tag:

<script type="text/javascript">
    ghost.init({
        clientId: "ghost-frontend",
        clientSecret: "$value"
    });
</script>

help wanted server / core themes / frontend

Source

ScottHelme

👍2

Most helpful comment

We're aware that the way the Public API scripts are injected into the page are currently not ideal. We 100% intend to revisit this before removing the beta flag from this feature.

If anyone wants to raise PRs to improve the code, that would be great. Ideally these would use examples from other platforms and how they do this as reference material. cc @brettdewoody re #8918

ErisDS on 18 Aug 2017

👍5

All 6 comments

We're aware that the way the Public API scripts are injected into the page are currently not ideal. We 100% intend to revisit this before removing the beta flag from this feature.

If anyone wants to raise PRs to improve the code, that would be great. Ideally these would use examples from other platforms and how they do this as reference material. cc @brettdewoody re #8918

ErisDS on 18 Aug 2017

👍5

I came across this issue again today with another Ghost user. Just to check in and continue hoping that inline script will be removed soon!

ScottHelme on 29 Jan 2018

Any news on this? Google PageSpeed is also complaining about ghost-sdk.min.js blocking rendering and is not being compressed.

herkyl on 9 Oct 2018

@herkyl No progress on this. The issue is labeled with help wanted. We are happy about any help.

If anyone wants to raise PRs to improve the code, that would be great. Ideally these would use examples from other platforms and how they do this as reference material. cc @brettdewoody re #8918

kirrg001 on 10 Oct 2018

@kirrg001 might look into it when I have some time!

herkyl on 11 Oct 2018

We're currently working on new API versions and an associated change in auth mechanism that will come with new SDKs that will not have any form of script injection.

Unfortunately we need to keep the injection around for backwards-compatibility until the next major version of Ghost. In the meantime we'll be looking at ways to remove the render blocking behaviour.

Closing this issue because we're unable to solve the CSP or script injection aspect at this time but it will eventually disappear as part of a future major release.