Please eliminate inline JS so strict CSP can be applied

[fancsali]

Right on the login page, there are two inline scripts, that would trip a no-inline security policy:

• At the top, what I reckon is included in every single page a piece of script with the license, and some initialisation code
• Around the bottom, where it calls rcmail.init(), which yet again, seems to be something, that's inlcuded in every page.

The second one can be easily hashed, and added as a CSP exception; the top one however, is a tad bit problematic, as it seems to contain strings, that are (randomly) generated on-the-fly.

[alecpl]

We have already #6281 and #7100. So, I'm closing this one. My take on this is that it will never happen.

[fancsali]

I see.

Looking at the code, I've seen comments regarding removing inline event handlers and using jQuery; also as far as I can tell, inline JS is injected by a piece of PHP, so it might be feasible to generate a nonce, and make that function include it in every <script> tag.

Nevertheless, I can see the non-straightforward nature of this; but I still think, it's an important issue. So, I'll try to get involved in the other two then.

With all due respect, I do hope, time will prove otherwise... ;)