Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The use of setAttribute('style', ...) causes CSP violations #429

Closed
lambdacasserole opened this issue Apr 21, 2018 · 0 comments
Closed

The use of setAttribute('style', ...) causes CSP violations #429

lambdacasserole opened this issue Apr 21, 2018 · 0 comments
Labels
Enhancement Icebox

Comments

@lambdacasserole
Copy link

If I use ScrollReveal in a web application served with a Content Security Policy that doesn't include style-src unsafe-inline it doesn't work, because inline style attributes are not permitted and ScrollReveal generates them by using setAttribute('style', ...) in several places, for example here.

Including style-src unsafe-inline isn't considered great practice because it makes XSS (cross-site styling) attacks much easier.

This can be addressed by manipulating element styles using element.style['attr-name'] = '...' instead.

Specs of test machine:

  • OS: Windows 10 Home
  • Browser: Chrome Version 65.0.3325.181 (Official Build) (64-bit)
  • ScrollReveal Version: 3.4.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement Icebox
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jlmakes @lambdacasserole