Opened 4 weeks ago

Last modified 3 weeks ago

#15384 new bug

CSP Violation ('style-src') in Postion.js

Reported by: Manish Kumar Owned by:
Priority: major Milestone: none
Component: ui.position Version: 1.12.1
Keywords: Cc: Manish Kumar
Blocked by: Blocking:

Description

When I invoke the method scrollbarWidth from position.js file, it throws CSP security violation error and blocks the execution.

scrollbarWidth method in postion.js is responsible for injecting html with inline styles which is against the CSP compliance for style-src.

My app restricts me to use any code which has CSP violation. Please find the code below which I have taken from position.js

$.position = {
	scrollbarWidth: function() {
		if ( cachedScrollbarWidth !== undefined ) {
			return cachedScrollbarWidth;
		}
		var w1, w2,
			div = $( "<div " +
				"style='display:block;position:absolute;width:50px;height:50px;overflow:hidden;'>" +
				"<div style='height:100px;width:auto;'></div></div>" ),
			innerDiv = div.children()[ 0 ];

For demo purpose I am attaching a gist. Please find the link below: https://gist.github.com/manish2788/6889806f714068a2fdcf5ef11214c9c5
JS Bin : https://jsbin.com/nacizar/edit

How to verify the issue in gist: Remove or comment following code [var scrollBarWidth = $.position.scrollbarWidth();] CSP error which I am printing will disappear

Can I expect a solution to this issue?

Change History (1)

comment:1 Changed 3 weeks ago by Manish Kumar

Cc: Manish Kumar added
Priority: minormajor
Note: See TracTickets for help on using tickets.