-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of inline styles doesn't play nice with Content Security Policy #418
Comments
What do you mean by inline styles? All styles used by gridstack are in css files or generated inside STYLE tag. And we cannot avoid of usage of generated styles. I don't see any other way to implement all functionality gridstack provides without that. And what kind of security risks this may cause? |
Hey, inline styles are the I had a short look at the source and it seems like you only need the E.g. change if (this._styles._max === 0) {
Utils.insertCSSRule(this._styles, prefix, 'min-height: ' + getHeight(1, 0) + ';', 0);
} to if (this._styles._max === 0) {
var elements = document.querySelectorAll(prefix);
for (var i = 0; i < elements.length; ++i) {
elements[i].style.minHeight = getHeight(1, 0);
}
} I'm no expert on security myself but here are some risks associated with inline styles: Please note that I'm not saying that your use of inline styles exposes these risks. But it prevents activating the CSP |
I'd also like to be able to set a strict CSP policy and disable inline-styles. Is there any plan for Gridstack to change from using custom styles and to use DOM modification instead? 👍 |
Copied from #1512: Content Security Policy header blocks all inline-style, inline-script tags as it may impose XSS vulnerabilities. Since, missing CSP header is identified as a critical XSS vulnerability, it would be better option to provide support for this rather than forcing users to use One option is to pass server generated nonce during grid initialization which can be used as nonce attribute in inline As mentioned in earlier comments, other option is to use javascript to set styles directly on element's document.querySelector('div').style.display = 'none'; |
… Security Policy * updating styles directly on HTMLELement rather than updating dynamic stylesheets * removing logic related to dynamic stylesheets as they aren't required and violate CSP sctrict style-src rule * removed UTs related to Dynamic stylesheets
…sn't-play-nice-with-Content-Security-Policy
… Security… (#1) * updating styles directly on HTMLElement rather than updating dynamic stylesheets * removing logic related to dynamic stylesheets as they aren't required and violate CSP strict style-src rule * removed UTs related to Dynamic stylesheets * using adopted style sheet and replaceSync to update dynamic css rule in csp compliant manner * Updating styles on dirty nodes elements directly in case ConstructableStylesheet is not supported
…sn't-play-nice-with-Content-Security-Policy
|
this will get solved by #2854 I believe |
gridstack.js seems to use inline styles extensively. We would like to disable inline styles via CSP's style-src to avoid the security risk they present. Are there any plans for gridstack.js to avoid the use of inline-styles?
The text was updated successfully, but these errors were encountered: