bug: CSP - Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem …"

Descrizione

Content-Security-Policy = 'default-src https://cdnjs.cloudflare.com/ajax/libs; style-src-elem https://cdnjs.cloudflare.com/ajax/libs'

p-ea7bbed1.system.js:1 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem localhost […]". Either the 'unsafe-inline' keyword, a hash ('sha256-NBfyYgxoWTkJ9SyHWLNVIq8UkKGvsaGPAaGmNMpVMSA='), or a nonce ('nonce-...') is required to enable inline execution.

{
    $.innerHTML = n + v;
    $.setAttribute("data-styles", "");
    l.insertBefore($, o ? o.nextSibling : l.firstChild)
}

Guida contributor

Tech stack

javascripttypescripthtmlcssweb components

Dominio

frontendsecurity

Tipo issue

bug

DifficoltàQuanto dovrebbe essere impegnativa per un nuovo contributor.

3

Tempo stimatoTempo stimato per completare e verificare uno scope piccolo.

1-3 hours

Stato attivitàQuanto è probabile che la issue sia ancora attiva e reviewable.

fresh

ChiarezzaQuanto chiaramente la issue descrive problema, scope e risultato atteso.

mostly clear

Prerequisiti

Understanding of Content Security Policy (CSP)Familiarity with how ionicons injects styles

Adatta ai principiantiQuanto la issue è adatta a contributor alla prima esperienza.

60

Direzione di ricerca

Investigate the ionicons source code to find where inline styles are injected via innerHTML. Consider using a nonce or hash for style src elem, or refactor to load styles from a separate file. Look at the system.js file referenced in the issue (p ea7bbed1.system.js) and the associated loader code. Check if there are existing discussions or PRs addressing CSP compliance. The maintainers have not yet responded, so propose a fix that avoids inline styles, for example by using CSSStyleSheet or constructing stylesheets with nonce support.