fix: injecting style element violates CSP #5946
Conversation
| // https://stackoverflow.com/q/3922139 | ||
| var style = platform._style || document.createElement('style'); | ||
| if (!platform._style) { |
There was a problem hiding this comment.
injectCSS() is only called once so we don't have to care about caching created element.
There was a problem hiding this comment.
The reason this cached is for the case of multiple charts on a single page. We only want 1 style element then
There was a problem hiding this comment.
But the styles should be injected multiple times? Please note that style.appendChild(document.createTextNode(css)); wasn't part of that if.
There was a problem hiding this comment.
No, the style in platform.initialize() shouldn't be injected multiple times, but injectCSS() could be called multiple time to inject different style under the same style element. That's not the case currently but that could change so injectCSS() still need to be able to be called multiple times (which I guess is still the case).
There was a problem hiding this comment.
It's still possible to call injectCSS() multiple times but that will cause multiple link elements to be added. I didn't benchmark but I guess this is better from a performance perspective cause replacing may cause a more expensive rerendering.
|
Tests are failing. Can you also share a live example that shows the CSP issue resolved? |
Using a link element is also recommended approach linked StackOverflow question. Code is mostly a copy and paste from this answer. Fixes chartjs#5208 together with chartjs#5909
jelhan
force-pushed
the
issue-5208-csp-violation
branch
from
1356a1f
to
90f55cc
Compare
Missed to append the link element to document. 😲 Fixed that one. Tests are passing now.
I'm not quite sure if setting CSP is possible in JS Fiddle and similar services. Will investigate that one next year. 😆 |
|
This fix still violates CSP: Here is a live example: https://codepen.io/anon/pen/EGoggR I'm sorry for the noise. Will dig deeper in this topic and try to come up with another solution. |
Using a link element is also recommended approach linked StackOverflow
question. Code is mostly a copy and paste from this answer.
Fixes #5208 together with #5909