How to Make Bootstrap-Fileinput v5.5.2 CSP Compliant with style-src 'self' Only? #1891
Description
Project Context
Tech Stack: Core PHP, jQuery, JavaScript
Environment: Government project with strict security audit requirements
CSP Restriction: Can only use default-src 'self'; script-src 'self'; style-src 'self'; (no unsafe-inline allowed)
Issue
I've successfully removed all inline styles and scripts from my project except for those generated by bootstrap-fileinput v5.5.2. The library is generating inline styles that violate our CSP policy:
Applying inline style violates the following Content Security Policy directive: 'style-src 'self''. Either the 'unsafe-inline' keyword, a hash ('sha256-OnQJ+WJTy68Tr6CkFyVvUukBBDAKfVxYuXQSzn+4D+Q='), or a nonce ('nonce-...') is required...
What I've Tried
Removed all custom inline styles/scripts
Using only external CSS/JS files hosted on same domain ('self')
Bootstrap-fileinput still generates inline styles dynamically
Question
How can I configure bootstrap-fileinput v5.5.2 to work without inline styles, or extract the hash sha256-OnQJ+WJTy68Tr6CkFyVvUukBBDAKfVxYuXQSzn+4D+Q= into the CSP header or there nonce support about this?
Any guidance on:
CSP-compliant configuration options
Alternative initialization methods
Proper hash extraction for dynamic styles
Recommended forks/patches for strict CSP environments
Would be greatly appreciated!