ionic-team/ionicons

bug: CSP - Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem …"

Open

#1,218 opened on May 20, 2023

View on GitHub
 (2 comments) (2 reactions) (0 assignees)TypeScript (2,083 forks)batch import
help wanted

Repository metrics

Stars
 (17,256 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

Current Behavior

When you enable at least the following CSP header

Content-Security-Policy = 'default-src https://cdnjs.cloudflare.com/ajax/libs; style-src-elem https://cdnjs.cloudflare.com/ajax/libs'

browsers will refuse to apply inline styles (rightfully).

The exact error message:

p-ea7bbed1.system.js:1 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src-elem localhost […]". Either the 'unsafe-inline' keyword, a hash ('sha256-NBfyYgxoWTkJ9SyHWLNVIq8UkKGvsaGPAaGmNMpVMSA='), or a nonce ('nonce-...') is required to enable inline execution.

Problematic code (in the last line):

{
    $.innerHTML = n + v;
    $.setAttribute("data-styles", "");
    l.insertBefore($, o ? o.nextSibling : l.firstChild)
}

File: https://cdnjs.cloudflare.com/ajax/libs/ionicons/7.1.0/ionicons/p-ea7bbed1.system.js

Expected Behavior

Styles applied normally from JS and not inline.

Steps to Reproduce

Turn on the mentioned CSP headers.

Code Reproduction URL

No response

Additional Information

No response

Contributor guide