-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Set style properties directly in mutation #211
base: sentry-v2
Are you sure you want to change the base?
Conversation
export function splitStyleAttributes(styles: string) { | ||
const splitStyles = styles.split(';'); | ||
return splitStyles | ||
.filter((value) => value.split(':').length == 2) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Q: Is this safe? Could styles not include colons in other places? Not 100% sure, just want to double check!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That will probably be an issue sooner or later, you're right
Co-authored-by: Francesco Novy <francesco.novy@sentry.io>
Co-authored-by: Francesco Novy <francesco.novy@sentry.io>
I have tried several options on injecting these styles (with nonces), like using a shadow dom, an iframe or just a style tag but all of these were still triggering the csp error. The only option that really worked were setting the attributes directly using javascript, which is most likely too brittle and expensive to do. The only other alternative that kinda worked was:
but this alters values (e.g. |
Unsure, if this is viable in your case, but some libraries offer a |
This PR sets style attributes directly instead of rewriting the full
style
attribute. That avoids users running into runtime CSP errors when they have not configuredunsafe-inline
in their CSP.fixes #145
relates to #10481