Content Security Policy

[mklilley]

I am aware of an older issues about CSP #2155 but was unable to comment on it as it was closed. It was suggested that the createHTML function could fix errors like:

Refused to apply inline style because it violates the following Content Security Policy directive: [...]

However, it's my understanding that CSP as it relates to style attributes (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src) cannot be handled by a nonce and hence the createHTML would not be of use.

More specifically, it seems like nonces are only applicable to style tags as opposed to inline style attributes. It seems like inline style attributes are not compatible with CSP at all.

Am I right in this?

Thanks

Matt

[arnog]

Unfortunately I cannot comment on how CSP works. Hopefully someone more knowledgeable could chime in.

I do not have a reproducible case of this problem. I'm not sure there is a problem. Without it, it would not be possible to investigate the issue (if there is one).

But if anyone has information about how to reproduce this problem and how to potentially solve it, I'd be very interested to hear.

[mklilley]

Yeah, that's totally fair. Let me see what I can do. Thanks for responding so fast.