ionic-team/ionicons

bug: CSP - Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem …"

Open

#1,218 创建于 2023年5月20日

在 GitHub 查看
 (2 评论) (2 反应) (0 负责人)TypeScript (17,256 star) (2,083 fork)batch import
help wanted

描述

Current Behavior

When you enable at least the following CSP header

Content-Security-Policy = 'default-src https://cdnjs.cloudflare.com/ajax/libs; style-src-elem https://cdnjs.cloudflare.com/ajax/libs'

browsers will refuse to apply inline styles (rightfully).

The exact error message:

p-ea7bbed1.system.js:1 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem localhost […]". Either the 'unsafe-inline' keyword, a hash ('sha256-NBfyYgxoWTkJ9SyHWLNVIq8UkKGvsaGPAaGmNMpVMSA='), or a nonce ('nonce-...') is required to enable inline execution.

Problematic code (in the last line):

{
    $.innerHTML = n + v;
    $.setAttribute("data-styles", "");
    l.insertBefore($, o ? o.nextSibling : l.firstChild)
}

File: https://cdnjs.cloudflare.com/ajax/libs/ionicons/7.1.0/ionicons/p-ea7bbed1.system.js

Expected Behavior

Styles applied normally from JS and not inline.

Steps to Reproduce

Turn on the mentioned CSP headers.

Code Reproduction URL

No response

Additional Information

No response

贡献者指南

技术栈
javascripttypescripthtmlcssweb components
领域
frontendsecurity
议题类型
bug
难度面向新贡献者的预计实现难度,1 表示很小改动,5 表示专家级工作。
3
预计时间有经验贡献者完成调查、实现、测试并准备 pull request 的粗略时间范围。
1-3 hours
活动状态议题当前的可参与程度:新鲜、活跃、陈旧、阻塞或等待维护者输入。
fresh
清晰度议题是否清楚说明期望改动、验收标准和下一步。
mostly clear
前置要求
Understanding of Content Security Policy (CSP)Familiarity with how ionicons injects styles
新手友好度1-100 的估计分数,表示该议题对首次贡献者的友好程度。
60
研究方向
Investigate the ionicons source code to find where inline styles are injected via innerHTML. Consider using a nonce or hash for style src elem, or refactor to load styles from a separate file. Look at the system.js file referenced in the issue (p ea7bbed1.system.js) and the associated loader code. Check if there are existing discussions or PRs addressing CSP compliance. The maintainers have not yet responded, so propose a fix that avoids inline styles, for example by using CSSStyleSheet or constructing stylesheets with nonce support.