ionic-team/ionicons

bug: CSP - Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem …"

Open

#1218 opened on May 20, 2023

View on GitHub
 (2 comments) (2 reactions) (0 assignees)TypeScript (17,256 stars) (2,083 forks)batch import
help wanted

Description

Current Behavior

When you enable at least the following CSP header

Content-Security-Policy = 'default-src https://cdnjs.cloudflare.com/ajax/libs; style-src-elem https://cdnjs.cloudflare.com/ajax/libs'

browsers will refuse to apply inline styles (rightfully).

The exact error message:

p-ea7bbed1.system.js:1 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem localhost […]". Either the 'unsafe-inline' keyword, a hash ('sha256-NBfyYgxoWTkJ9SyHWLNVIq8UkKGvsaGPAaGmNMpVMSA='), or a nonce ('nonce-...') is required to enable inline execution.

Problematic code (in the last line):

{
    $.innerHTML = n + v;
    $.setAttribute("data-styles", "");
    l.insertBefore($, o ? o.nextSibling : l.firstChild)
}

File: https://cdnjs.cloudflare.com/ajax/libs/ionicons/7.1.0/ionicons/p-ea7bbed1.system.js

Expected Behavior

Styles applied normally from JS and not inline.

Steps to Reproduce

Turn on the mentioned CSP headers.

Code Reproduction URL

No response

Additional Information

No response

Contributor guide

Tech stack
javascripttypescripthtmlcssweb components
Domain
frontendsecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Understanding of Content Security Policy (CSP)Familiarity with how ionicons injects styles
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Investigate the ionicons source code to find where inline styles are injected via innerHTML. Consider using a nonce or hash for style src elem, or refactor to load styles from a separate file. Look at the system.js file referenced in the issue (p ea7bbed1.system.js) and the associated loader code. Check if there are existing discussions or PRs addressing CSP compliance. The maintainers have not yet responded, so propose a fix that avoids inline styles, for example by using CSSStyleSheet or constructing stylesheets with nonce support.