-
Notifications
You must be signed in to change notification settings - Fork 11.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: injecting style element violates CSP #5946
Conversation
// https://stackoverflow.com/q/3922139 | ||
var style = platform._style || document.createElement('style'); | ||
if (!platform._style) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
injectCSS()
is only called once so we don't have to care about caching created element.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason this cached is for the case of multiple charts on a single page. We only want 1 style element then
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But the styles should be injected multiple times? Please note that style.appendChild(document.createTextNode(css));
wasn't part of that if
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, the style in platform.initialize()
shouldn't be injected multiple times, but injectCSS()
could be called multiple time to inject different style under the same style
element. That's not the case currently but that could change so injectCSS()
still need to be able to be called multiple times (which I guess is still the case).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's still possible to call injectCSS()
multiple times but that will cause multiple link elements to be added. I didn't benchmark but I guess this is better from a performance perspective cause replacing may cause a more expensive rerendering.
Tests are failing. Can you also share a live example that shows the CSP issue resolved? |
Using a link element is also recommended approach linked StackOverflow question. Code is mostly a copy and paste from this answer. Fixes chartjs#5208 together with chartjs#5909
1356a1f
to
90f55cc
Compare
Missed to append the link element to document. 😲 Fixed that one. Tests are passing now.
I'm not quite sure if setting CSP is possible in JS Fiddle and similar services. Will investigate that one next year. 😆 |
This fix still violates CSP:
Here is a live example: https://codepen.io/anon/pen/EGoggR I'm sorry for the noise. Will dig deeper in this topic and try to come up with another solution. |
Using a link element is also recommended approach linked StackOverflow
question. Code is mostly a copy and paste from this answer.
Fixes #5208 together with #5909