admin管理员组文章数量:1317565
In our app code we allow some objects to drag and drop around the page. Also we have things like popups that need to be positioned below buttons and dialogs that we position in the page ect.
To do so we need to allow the following inline css properties
- z-index
- top, bottom, left, right
- height, width
We cant really make classes for this, imagine left for example could be 0 to 20000 so we would need millions of classes.
I cant see any way other than inline css.
So to solve for CSP () then that means we need to fully allow style-src: unsafe-inline
I'm sure this is a mon scenario. What do people do about this case? We also use veracode to scan our software so im thinking we just "mitagate" this by explaining that we only allow a set of inline css attributes.
But i would think maybe CSP should allow a certain subset of dynamic css attributes.
Has anyone encountered this and have any thoughts?
In our app code we allow some objects to drag and drop around the page. Also we have things like popups that need to be positioned below buttons and dialogs that we position in the page ect.
To do so we need to allow the following inline css properties
- z-index
- top, bottom, left, right
- height, width
We cant really make classes for this, imagine left for example could be 0 to 20000 so we would need millions of classes.
I cant see any way other than inline css.
So to solve for CSP (https://developer.mozilla/en-US/docs/Web/HTTP/CSP) then that means we need to fully allow style-src: unsafe-inline
I'm sure this is a mon scenario. What do people do about this case? We also use veracode to scan our software so im thinking we just "mitagate" this by explaining that we only allow a set of inline css attributes.
But i would think maybe CSP should allow a certain subset of dynamic css attributes.
Has anyone encountered this and have any thoughts?
Share Improve this question asked Jul 27, 2018 at 19:51 TimTim 3,8167 gold badges45 silver badges60 bronze badges 1- Possible duplicate of Banned inline style CSP and dynamic positioning of HTML elements – Stephen R Commented Aug 12, 2018 at 13:08
2 Answers
Reset to default 6When you write CSS to elements via JavaScript using the CSSOM, it’s not the same as literally writing style=“...”; rather, you are directly manipulating the DOM [correction: the CSSOM]. CSP allows these types of styles even when not allowing unsafe-inline styles.
(See here for an example. You don’t want to add a literal “style” attribute to the element, but use the CSSOM — https://stackoverflow./a/29089970/339440 )
Unfortunately, there's currently no "clean" way of doing this. CSP doesn't currently have any way of inspecting style
attributes to determine if they're safe; it's unclear that this is possible at all, as almost any CSS attribute could be used to create misleading or otherwise unintended content on a site.
The options I see are:
Use a CSP nonce to allow inline
style
attributes on selected elements. This is similar tounsafe-inline
, but more selective (and hence a bit safer).When CSS
attr()
is implemented in all mon browsers, you :/* ATTENTION: This is not a working example; see below */ .position-by-attr { left: attr(data-left px); top: attr(data-top px); }
<div class="position-by-attr" left="123" top="456"> … </div>
However, note that this feature is not currently implemented in any browser. It is present in the CSS3 specification, but has not been implemented. It may be years (if ever) before it is practically usable.
本文标签:
版权声明:本文标题:javascript - CSP - How to solve style-src unsafe-inline -when having dynamically positioned page elements - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742020442a2414493.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论