Opened 3 years ago
Last modified 3 years ago
#15384 new bug
CSP Violation ('style-src') in Postion.js
| Reported by: | Manish Kumar | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | none |
| Component: | ui.position | Version: | 1.12.1 |
| Keywords: | Cc: | Manish Kumar | |
| Blocked by: | Blocking: |
Description
When I invoke the method scrollbarWidth from position.js file, it throws CSP security violation error and blocks the execution.
scrollbarWidth method in postion.js is responsible for injecting html with inline styles which is against the CSP compliance for style-src.
My app restricts me to use any code which has CSP violation. Please find the code below which I have taken from position.js
$.position = {
scrollbarWidth: function() {
if ( cachedScrollbarWidth !== undefined ) {
return cachedScrollbarWidth;
}
var w1, w2,
div = $( "<div " +
"style='display:block;position:absolute;width:50px;height:50px;overflow:hidden;'>" +
"<div style='height:100px;width:auto;'></div></div>" ),
innerDiv = div.children()[ 0 ];
For demo purpose I am attaching a gist. Please find the link below:
https://gist.github.com/manish2788/6889806f714068a2fdcf5ef11214c9c5
JS Bin : https://jsbin.com/nacizar/edit
How to verify the issue in gist: Remove or comment following code [var scrollBarWidth = $.position.scrollbarWidth();] CSP error which I am printing will disappear
Can I expect a solution to this issue?