Use of inline styles prevents good security via CSP #129
Comments
|
Another possible reason to change this - it appears that the current code is appending that |
|
For those interested this works better and does not even use js. It is a bit more work to implement. |
|
I am also running into an issue where CSP is flagging this script. It looks like it's still there in latest. Has there been any plans to update and improve it? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm working on a site that uses this plugin (v0.1.19). To improve site security, I'm adding a Content Security Policy which, among other things, does not allow inline styles. The security risk posed by these is covered in this talk. In general, it's stuff like "if you allow inline styles, an attacker might somehow get
<style>tags into your site that add deceptive elements, query for information in the page using attribute selectors, send data back to the attacker by setting specially-named background image URLs, etc."We want to make that impossible. As an example CSP, if I send the very permissive header
Content-Security-Policy:default-src *, it means "you can source scripts or styles or anything else from anywhere". But because that header doesn't whitelist inline scripts or styles, it implicitly forbids them.When I load a page in my app that uses this plugin and sends that CSP header, I get an error in the Chrome developer console:
Clicking on the error message gives me a stack trace that isn't super clear, but I found that if I comment out these lines that create and append a
<style>tag, the warning disappears.Could you instead provide this style as
sticky-table-headers-print-styles.cssor something similar to allow setting a CSP?The text was updated successfully, but these errors were encountered: