New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove inline styling from provided JS #1405
Comments
@levinmr - happy to chat about the details you're seeing. There shouldn't be much inline to the html. Are you referring to a different type of And here's some guidance. |
Excerpts from the JS referenced above that were flagged as issues in the CSP;
The loadCss function appending a style tag was one. Also there are a few inline styles in the load HTML function (you can see them by grepping the HTML there for |
@levinmr - can you load the latest and let me know how it looks. A style tag is still being added, but inline styles have been removed. |
That eliminated all but one CSP issue. I deployed to our dev environment with the script tag, so you can inspect it. https://analytics-develop.app.cloud.gov/ |
hi @levinmr - are you willing to try a CSP tag allowing touchpoints styling? another option is for touchpoints to provide a separate css file, or for you to host that css locally. |
I hosted the CSS/JS locally to avoid the |
Including touchpoints JS in the analytics.usa.gov site with the following:
<script async type="text/javascript" src="https://touchpoints.app.cloud.gov/touchpoints/15ca967f.js"></script>
caused the site's CSP to block multiple items from loading due to unsafe inline styling being applied.
The CSP header for the site (set by NGINX):
I worked around the issue by including the Touchpoints JS/CSS in the hosting for the site and updating the JS/HTML that was setting inline styles.
It would be nice to have some guidance on how to do the workaround above, or provide a CSS file in addition to the Touchpoints JS to avoid the inline styling
The text was updated successfully, but these errors were encountered: