Hey,

inline styles are the style tag and the style attribute.

I had a short look at the source and it seems like you only need the style tag in _updateStyles to set the vertical size and position. I'm not familiar enough with your project but wouldn't it be possible to do this using the DOM objects and setting their styles directly? This wouldn't violate CSP (don't ask me why exactly that is so).

E.g. change

if (this._styles._max === 0) {
    Utils.insertCSSRule(this._styles, prefix, 'min-height: ' + getHeight(1, 0) + ';', 0);
}

if (this._styles._max === 0) {
    var elements = document.querySelectorAll(prefix);
    for (var i = 0; i < elements.length; ++i) {
        elements[i].style.minHeight = getHeight(1, 0);
    }
}

I'm no expert on security myself but here are some risks associated with inline styles:
http://dontkry.com/posts/code/disable-inline-styles.html
http://scarybeastsecurity.blogspot.co.at/2009/12/generic-cross-browser-cross-domain.html

Please note that I'm not saying that your use of inline styles exposes these risks. But it prevents activating the CSP style-src which is a safeguard for developers to not introduce such risks by accident.

Uh oh!

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions