Opened 18 months ago

Last modified 18 months ago

#15384 new bug

CSP Violation ('style-src') in Postion.js

Reported by: Manish Kumar Owned by:
Priority: major Milestone: none
Component: ui.position Version: 1.12.1
Keywords: Cc: Manish Kumar
Blocked by: Blocking:


When I invoke the method scrollbarWidth from position.js file, it throws CSP security violation error and blocks the execution.

scrollbarWidth method in postion.js is responsible for injecting html with inline styles which is against the CSP compliance for style-src.

My app restricts me to use any code which has CSP violation. Please find the code below which I have taken from position.js

$.position = {
	scrollbarWidth: function() {
		if ( cachedScrollbarWidth !== undefined ) {
			return cachedScrollbarWidth;
		var w1, w2,
			div = $( "<div " +
				"style='display:block;position:absolute;width:50px;height:50px;overflow:hidden;'>" +
				"<div style='height:100px;width:auto;'></div></div>" ),
			innerDiv = div.children()[ 0 ];

For demo purpose I am attaching a gist. Please find the link below:
JS Bin :

How to verify the issue in gist: Remove or comment following code [var scrollBarWidth = $.position.scrollbarWidth();] CSP error which I am printing will disappear

Can I expect a solution to this issue?

Change History (1)

comment:1 Changed 18 months ago by Manish Kumar

Cc: Manish Kumar added
Priority: minormajor
Note: See TracTickets for help on using tickets.