You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CssResource/GssResource inject their contents inline into <style> tags using the StyleInjector, and do not presently have any accommodation for CSP rules - that is, if CSP is enabled, unsafe-inline/etc must be specified for this to still work.
In theory, we could hash all of the included CssResource blobs of content, and provide them in a generated file, so that a server can provide them and indicate that those inline styles are safe because they match an expected hash. We could also offer a way to pass in a nonce, so that each style tag when created would have a supported nonce for that page load - though I'm a little skeptical of how this would actually be safe if the value is readable by plain JS.
The text was updated successfully, but these errors were encountered:
CssResource/GssResource inject their contents inline into
<style>tags using the StyleInjector, and do not presently have any accommodation for CSP rules - that is, if CSP is enabled,unsafe-inline/etc must be specified for this to still work.In theory, we could hash all of the included CssResource blobs of content, and provide them in a generated file, so that a server can provide them and indicate that those inline styles are safe because they match an expected hash. We could also offer a way to pass in a nonce, so that each style tag when created would have a supported nonce for that page load - though I'm a little skeptical of how this would actually be safe if the value is readable by plain JS.
The text was updated successfully, but these errors were encountered: