-
-
Notifications
You must be signed in to change notification settings - Fork 473
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Promotion of unsafe code #613
Comments
We can improve out documentation, our official recommendation is use https://github.com/webpack-contrib/style-loader#recommend and use style-loader only for development purposes for perf reasons, anyway in some cases developers want to inline CSS due to some internal reasons and we can't forbid it to them, when you should trust your code when you inline it |
xi
added a commit
to xi/style-loader
that referenced
this issue
Dec 6, 2023
xi
added a commit
to xi/style-loader
that referenced
this issue
Dec 6, 2023
xi
added a commit
to xi/style-loader
that referenced
this issue
Dec 6, 2023
xi
added a commit
to xi/style-loader
that referenced
this issue
Dec 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Documentation Is:
Please Explain in Detail...
Content Security Polcies (CSPs) make the web a safer place. Authors can use unsafe policies, but those are clearly labelled so authors do not use them by accident. One such unsafe policy is
unsafe-inline
.This loader heavily promotes unsafe-inline code: All available options for
injectType
except forlinkTag
are unsafe, including the default value (styleTag
). This makes it a barrier for the adoption of tighter CSPs. As this loader is used on a lot of websites, this has a huge impact on the security of the web in general.As discussed in #306 and #487, CSPs allow to use nonces for inline code. However, these are not a proper solution. The spec is quite clear about the many drawbacks of nonces:
Your Proposal for Changes
linkTag
The text was updated successfully, but these errors were encountered: