As the Delete button for ActiveStorage fields uses inline Javascript (in its onclick attribute), it's not compatible with a secure Content-Security Policy (CSP) header.
Currently the only way to get deletion to work is to disable CSP for the application (or add unsafe-inline to default-src, but that's about the same). This is wrong and greatly increases the XSS risk. Any Javascript should be loaded from .js files.
As the Delete button for ActiveStorage fields uses inline Javascript (in its
onclickattribute), it's not compatible with a secure Content-Security Policy (CSP) header.Currently the only way to get deletion to work is to disable CSP for the application (or add
unsafe-inlinetodefault-src, but that's about the same). This is wrong and greatly increases the XSS risk. Any Javascript should be loaded from .js files.