stackoom
  简体   繁体   中英

CSP for dynamically loaded CSS

 原文  2018-02-05 19:44:28       javascript/ css/ content-security-policy

Question

So I'm loading a JavaScript file from a third party into my application which injects an iframe onto the page. When that iframe loads, it loads its own JavaScript which creates an inline style tag in the parent window.

Because of this flow, I have to have "unsafe-inline" in my content security policy for the style-src directive. Is there anything like strict-dynamic that would work for styles loaded like this? Or is there some kind of solution in which I don't have to have "unsafe-inline" listed in my CSP that still allows this one stylesheet?

Best I can come up with is to scan this redirected file every couple of hours and generate subresource integrity hashes for it to inject into my CSP on a regular basis, but this seems really fragile.

1 answers

solution1
 0  2018-05-02 16:32:23

Setting CSS via the CSS Object Model (CSSOM) works with CSP. Thus:

document.getElementById(id).style.left = '343px';

In this case you may have to convince the 3rd party vendor to alter their JavaScript.

source: https://stackoverflow.com/a/29089970/339440

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question CSS file added dynamically is not loaded Verify that dynamically created CSS indeed loaded Dynamically loaded CSS in React not working intermittently IE doesn't apply dynamically loaded CSS Dynamically loaded CSS having no effect in a Windows 8 app How to know when a dynamically loaded CSS file is fully loaded and active? Dynamically loaded CSS background-image not shown in Chrome CSS file is not being loaded dynamically via ng-href Font-face flickering when new css files are dynamically loaded when does a dynamically loaded CSS into head get executed
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM