Closed
Description
As mentioned in #418, gridstack relies on inline <style> tag to provide dynamic stylesheet.
Content Security Policy header blocks all inline-style, inline-script tags as it may impose XSS vulnerabilities.
Since, missing CSP header is identified as a critical XSS vulnerability, it would be better option to provide support for this rather than forcing users to use unsafe-inline source or removing CSP header from application.
One option is to pass server generated nonce during grid initialization which can be used as nonce attribute in inline <style> tags, that would prevent blocking of <style> tags generated by gridstack.
Metadata
Metadata
Assignees
Labels
No labels