Skip to main content

Search and Top Navigation

#15384 new bug ()

Opened July 13, 2020 09:16AM UTC

Last modified July 16, 2020 12:20PM UTC

CSP Violation ('style-src') in Postion.js

Reported by: manish2788 Owned by:
Priority: major Milestone: none
Component: ui.position Version: 1.12.1
Keywords: Cc: manish2788
Blocked by: Blocking:
Description

When I invoke the method **scrollbarWidth** from position.js file, it throws CSP security violation error and blocks the execution.

scrollbarWidth method in postion.js is responsible for injecting html with inline styles which is against the CSP compliance for style-src.

My app restricts me to use any code which has CSP violation. Please find the code below which I have taken from position.js

$.position = {
	scrollbarWidth: function() {
		if ( cachedScrollbarWidth !== undefined ) {
			return cachedScrollbarWidth;
		}
		var w1, w2,
			div = $( "<div " +
				"style='display:block;position:absolute;width:50px;height:50px;overflow:hidden;'>" +
				"<div style='height:100px;width:auto;'></div></div>" ),
			innerDiv = div.children()[ 0 ];

For demo purpose I am attaching a gist. Please find the link below:

https://gist.github.com/manish2788/6889806f714068a2fdcf5ef11214c9c5

\\\\

JS Bin : https://jsbin.com/nacizar/edit

**How to verify the issue in gist:**

Remove or comment following code

[var scrollBarWidth = $.position.scrollbarWidth();]

CSP error which I am printing will disappear

Can I expect a solution to this issue?

Attachments (0)
Change History (1)

Changed July 16, 2020 12:20PM UTC by manish2788 comment:1

cc: → manish2788
priority: minormajor