Content Security Policy

[karthikbp21]

Summarize your issue here.

Steps to reproduce

Tell us how to reproduce this issue.

1. I have used the jquery chosen plugin in the ruby on rails application.

2. Now we have added Content Security Policy with this configuration
   config.content_security_policy do |policy|
   policy.default_src :self, :https
   policy.font_src :self, :https, :data
   policy.img_src :self, :https, :data
   policy.object_src :none
   policy.script_src :self, :https
   policy.style_src :self, :https
   end

3. The Ui is messed up ,

4 . I am getting this error in browser console -
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-tJPRxlo7t/U4c74xGxAN1A=='". Either the 'unsafe-inline' keyword, a hash ('sha256-swWWFBTKQXm0oEF+bI6rqAGSUMQOxhhlwCWaO9mM1w0='), or a nonce ('nonce-...') is required to enable inline execution.

Additionally, please link to a working demo that shows the issue so we can attempt to reproduce. You can use this template as a base. Alternatively, confirm that the Chosen demo page shows the issue.

Expected behavior

It should work normal even CSP is switched on

Actual behavior

The inline styles are not getting added to the element

Environment

• Chosen Version:

• v1.8.7

• jQuery or Prototype Version:

• Jquery

• Browser and Version:

• Chrome lany version is fine

• OS and Version:

• Mac any version is fine

Additional information

Any other information you want to share that is relevant to the issue being reported. This might include the lines of code that you have identified as causing the bug, or potential solutions and workarounds.

[karthikbp21]

I can see there are 3 places where inline style has been added. Which should have been added using jQuery