ionic-team/ionicons

bug: CSP - Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem …"

Open

#1.218 aberto em 20 de mai. de 2023

Ver no GitHub
 (2 comments) (2 reactions) (0 assignees)TypeScript (17.256 stars) (2.083 forks)batch import
help wanted

Description

Current Behavior

When you enable at least the following CSP header

Content-Security-Policy = 'default-src https://cdnjs.cloudflare.com/ajax/libs; style-src-elem https://cdnjs.cloudflare.com/ajax/libs'

browsers will refuse to apply inline styles (rightfully).

The exact error message:

p-ea7bbed1.system.js:1 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem localhost […]". Either the 'unsafe-inline' keyword, a hash ('sha256-NBfyYgxoWTkJ9SyHWLNVIq8UkKGvsaGPAaGmNMpVMSA='), or a nonce ('nonce-...') is required to enable inline execution.

Problematic code (in the last line):

{
    $.innerHTML = n + v;
    $.setAttribute("data-styles", "");
    l.insertBefore($, o ? o.nextSibling : l.firstChild)
}

File: https://cdnjs.cloudflare.com/ajax/libs/ionicons/7.1.0/ionicons/p-ea7bbed1.system.js

Expected Behavior

Styles applied normally from JS and not inline.

Steps to Reproduce

Turn on the mentioned CSP headers.

Code Reproduction URL

No response

Additional Information

No response

Guia do colaborador

Pilha de tecnologia
javascripttypescripthtmlcssweb components
Domain
frontendsecurity
Tipo Issue
bug
DifficultyDificuldade de implementação estimada para um novo contribuidor, de 1 para alterações muito pequenas a 5 para trabalho de nível especializado.
3
Tempo estimadoUm intervalo de tempo aproximado para um colaborador experiente investigar, implementar, testar e preparar um pull request.
1-3 hours
Status da atividadeQuão disponível o issue aparece agora: novo, ativo, obsoleto, bloqueado ou aguardando entrada do mantenedor.
fresh
ClarityCom que clareza o issue explica a mudança esperada, os critérios de aceitação e a próxima etapa.
mostly clear
Prerequisites
Understanding of Content Security Policy (CSP)Familiarity with how ionicons injects styles
Simpatia para novatosUma pontuação de 1 a 100 que estima o quão acessível este issue é para colaboradores iniciantes.
60
Direção de pesquisa
Investigate the ionicons source code to find where inline styles are injected via innerHTML. Consider using a nonce or hash for style src elem, or refactor to load styles from a separate file. Look at the system.js file referenced in the issue (p ea7bbed1.system.js) and the associated loader code. Check if there are existing discussions or PRs addressing CSP compliance. The maintainers have not yet responded, so propose a fix that avoids inline styles, for example by using CSSStyleSheet or constructing stylesheets with nonce support.