You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
I have read the documentation and cannot find an answer.
Describe the bug
Sites that use a CSP to improve their security are moving away from inlined styles (style attributes that appear on elements) in favor of class attributes.
Reproduction
The easiest way to reproduce this issue is to add the meta tag to the index.html's <head> section: <meta http-equiv="Content-Security-Policy" content="default-src 'self'">
The meta header is not considered best practice (putting the csp in the http header is), but this approach fine for demonstration/dev.
To Reproduce
Steps to reproduce the behavior:
Using a dev localhost site, edit the index.html template page.
Add the basic CSP header: <meta http-equiv="Content-Security-Policy" content="default-src 'self'"> and save
Reload the page
Open the debugger and look for the CSP errors in the console.
Result:
A blank screen is displayed, the console shows errors like:
Refused to apply inline style because it violates the following Content Security Policy
Expected behavior
CSPs are quickly gaining popularity because they greatly increase a site's security. For SPAs (Single Page Apps), the CSP http-header applies to the "whole site" since there's only one http page load. If any component requires insecure behaviors, then the whole site must have it's security stance lowered.
Desktop (please complete the following information):
OS: all
Browser: all latest versions support CSP
Additional context
This is likely not a minor change. However, thinking about CSP as new features are added or refactored is useful for forward compatibility.
A useful exercise is to tweak the CSP ever so slightly until the component does work to understand what's involved for users of the component.
"The unsafe-inline source list keyword can be used to allow inline styles, but this also removes much of the security protection that you gain when you enable CSP."
Because this is a long-term goal, it may make sense to close this issue.
The text was updated successfully, but these errors were encountered:
@TomNUSDS the part which I'm not sure about is how would dynamically positioned elements like tooltips and popovers would work without inline styles to position them. As far as I saw, popular UI libraries like Radix (used in the editor) and MUI have not solved that. Have you seen anything regarding that?
Describe the bug
Sites that use a CSP to improve their security are moving away from inlined styles (
style
attributes that appear on elements) in favor ofclass
attributes.See: https://content-security-policy.com/examples/allow-inline-style/
Good background read (balanced): https://scotthelme.co.uk/can-you-get-pwned-with-css/
Reproduction
The easiest way to reproduce this issue is to add the meta tag to the
index.html
's<head>
section:<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
The meta header is not considered best practice (putting the csp in the http header is), but this approach fine for demonstration/dev.
To Reproduce
Steps to reproduce the behavior:
index.html
template page.<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
and saveResult:
A blank screen is displayed, the console shows errors like:
Expected behavior
CSPs are quickly gaining popularity because they greatly increase a site's security. For SPAs (Single Page Apps), the CSP http-header applies to the "whole site" since there's only one http page load. If any component requires insecure behaviors, then the whole site must have it's security stance lowered.
Desktop (please complete the following information):
Additional context
This is likely not a minor change. However, thinking about CSP as new features are added or refactored is useful for forward compatibility.
A useful exercise is to tweak the CSP ever so slightly until the component does work to understand what's involved for users of the component.
https://content-security-policy.com/examples/allow-inline-style/
Because this is a long-term goal, it may make sense to close this issue.
The text was updated successfully, but these errors were encountered: