Add CSP URLs to the docs & more details for other CSP implementation methods
Created by: 9mido
https://github.com/twbs/bootstrap/pull/32832
https://github.com/twbs/bootstrap/issues/25394
PR 32832 provides a section for CSP in the docs but it is lacking CSP URLs developers could plug into their code to enable bootstrap assets.
For anybody who wants to see the results of that documentation PR 32832 here is the online version:
https://getbootstrap.com/docs/5.0/customize/overview/#csps-and-embedded-svgs
With this documentation PR 32832 there is no reference to CSP URLs that you can plug into your CSP configurations or where in the CSP configurations to put them (script-src, frame-src, etc). You are just linking to the code documentation page for each element?
I was hoping bootstrap could provide something like this:
https://content-security-policy.com/examples/
https://stripe.com/docs/security/guide#content-security-policy
Using bootstrap provided CSP URLs and plugging them in is much easier than locally hosted assets, inline images, etc. CSP provided URLs is by far the easiest and quickest way to get CSP protection for your site.
Following what Stripe and Google does in this case is a best practice by providing bootstrap provided CSP URLs to the public to handle the assets for you.
I wouldn't know where to begin on where to actually download the images/svgs from and then figure out where to put them locally and then how to reference them in my code. There is no guidance for how to do that in the current docs. Maybe add more details for developers who may want to reference them locally or provide more details on some of the other methods like inline images in addition to using bootstrap provided CSP URLs. Because some developers might want to change the colors of the assets or change the asset images altogether or something.