Avoid triggering a CSP (content security policy) error #846
Conversation
eoghanmurray
force-pushed
the
style-csp-fix
branch
2 times, most recently
from
5e391d0 to
92febda
Compare
|
|
Seems like this pull request can cause the failure of two test cases. Could you please check it out? |
|
I've got errors running test suite on my computer even on the trunk. Edit: my bad not getting the tests running; my PR was indeed causing failures which I've now fixed... |
eoghanmurray
force-pushed
the
style-csp-fix
branch
from
edeb058 to
1de271e
Compare
| // avoid upsetting original document from a Content Security point of view | ||
| unattachedDoc = document.implementation.createHTMLDocument(); | ||
| } catch (e) { | ||
| // fallback to more direct method |
There was a problem hiding this comment.
Do we know when we will fallback? I'm curious what would trigger errors and the fallback case? Unsupported browsers?
There was a problem hiding this comment.
I'm just not 100% about that document.implementation.createHTMLDocument(); so took the prudent option of falling back to the previous method (which is working fine but wouldn't work for you from a CSP POV)
I just looked it up now and it seems fine:
https://caniuse.com/?search=implementation.createhtmldocument
E.g. it could fail on IE11 as there is a 'title' attribute missing
I don't think anyone is supporting IE11
You could add some reporting in there if it happens, or to add a custom commit on top (for your deployment) to revert this last commit.
I'm putting this out to a 'canary' environment today, but I don't have any reporting on whether the fallback kicks in; I'm happy enough that it worked in the rrweb test environment (Puppeteer/Chrome).
eoghanmurray
force-pushed
the
style-csp-fix
branch
from
1de271e to
626fc10
Compare
…y) error with `.setAttribute('style')`
…a doctype and wasn't a HTML document, so the child style element didn't have the `old.style` attribute available
…tation.createHTMLDocument` isn't available
eoghanmurray
force-pushed
the
style-csp-fix
branch
from
626fc10 to
f36073d
Compare
* Fix for rrweb-io#816 - avoid triggering a CSP (content security policy) error with `.setAttribute('style')` * The bare unattachedDoc that I previously naively created didn't have a doctype and wasn't a HTML document, so the child style element didn't have the `old.style` attribute available * Add a try/catch to provide some robustness in case `document.implementation.createHTMLDocument` isn't available
* Fix for rrweb-io#816 - avoid triggering a CSP (content security policy) error with `.setAttribute('style')` * The bare unattachedDoc that I previously naively created didn't have a doctype and wasn't a HTML document, so the child style element didn't have the `old.style` attribute available * Add a try/catch to provide some robustness in case `document.implementation.createHTMLDocument` isn't available
* Fix for rrweb-io#816 - avoid triggering a CSP (content security policy) error with `.setAttribute('style')` * The bare unattachedDoc that I previously naively created didn't have a doctype and wasn't a HTML document, so the child style element didn't have the `old.style` attribute available * Add a try/catch to provide some robustness in case `document.implementation.createHTMLDocument` isn't available
* Fix for rrweb-io#816 - avoid triggering a CSP (content security policy) error with `.setAttribute('style')` * The bare unattachedDoc that I previously naively created didn't have a doctype and wasn't a HTML document, so the child style element didn't have the `old.style` attribute available * Add a try/catch to provide some robustness in case `document.implementation.createHTMLDocument` isn't available
* Fix for rrweb-io#816 - avoid triggering a CSP (content security policy) error with `.setAttribute('style')` * The bare unattachedDoc that I previously naively created didn't have a doctype and wasn't a HTML document, so the child style element didn't have the `old.style` attribute available * Add a try/catch to provide some robustness in case `document.implementation.createHTMLDocument` isn't available
* Fix for rrweb-io#816 - avoid triggering a CSP (content security policy) error with `.setAttribute('style')` * The bare unattachedDoc that I previously naively created didn't have a doctype and wasn't a HTML document, so the child style element didn't have the `old.style` attribute available * Add a try/catch to provide some robustness in case `document.implementation.createHTMLDocument` isn't available
Fix for #816 with
.setAttribute('style')— see CSP style-src: unsafe-inline