You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PR #21 probably fixes this (haven't checked though). Opening an issue to provide more detail as to what the issue is and how we could address it.
First of all, fantastic library. Really makes things much simpler when I want to show the user that a task is in progress, and the fact that I don't have to add any extra markup to the page makes it all that much easier to use.
There is an issue, however, when a web application uses a content security policy that doesn't specify unsafe-inline, which is considered bad practice and sacrifices a substantial amount of security. The generated element (below) contains 4 inline style attributes, which the client will refuse to apply:
The result is a modal that works, but contains no visible progress bar (because its width is 0) and has layout issues to the padding-top and overflow-y CSS attributes not being applied.
There are a few approaches we can take to fix this issue:
Move things to an external style sheet and make sure that style-src includes self - from PR For unsafe-inline css #21 I am guessing this isn't a particularly appealing option.
Place the burden on the CSP implementer to add specific exceptions for the SHA256 hashes of the inline styles included - Not particularly user-friendly and even the slightest change to the inline styles in this library will completely break it everywhere until users update their CSPs.
Extend the script to allow a 'nonce' to be specified - Probably the best option. As long as your users securely (i.e. unpredictably) generate a unique nonce for each page request. This won't break anything if no nonce is specified and no CSP is in place.
I'll submit a PR with the proposed change shortly.
PR #21 probably fixes this (haven't checked though). Opening an issue to provide more detail as to what the issue is and how we could address it.
First of all, fantastic library. Really makes things much simpler when I want to show the user that a task is in progress, and the fact that I don't have to add any extra markup to the page makes it all that much easier to use.
There is an issue, however, when a web application uses a content security policy that doesn't specify
unsafe-inline, which is considered bad practice and sacrifices a substantial amount of security. The generated element (below) contains 4 inline style attributes, which the client will refuse to apply:The result is a modal that works, but contains no visible progress bar (because its
widthis0) and has layout issues to thepadding-topandoverflow-yCSS attributes not being applied.There are a few approaches we can take to fix this issue:
style-srcincludesself- from PR For unsafe-inline css #21 I am guessing this isn't a particularly appealing option.I'll submit a PR with the proposed change shortly.