New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP violation without 'unsafe-inline' #6434
Comments
Using the |
it's a general button creation problem, not a wave effect itself |
The CSP violations only show in the console after Materialize tries to apply some styles with |
As you can see it in the blame view this code is directly from waves.js. |
There had been a PR for that once, with a somewhat unsatisfying conclusion: #6357 |
Expected Behavior
A button with waves-effect should not require 'unsafe-inline' to work with a content security policy.
Current Behavior
A content security policy needs the 'unsafe-inline' option to set the attributes necessary for the waves effect on a button.
Possible Solution
jlmakes/scrollreveal@f75c0c2
seems to fix a similar issue in another project.
Console errors are thrown with
ripple.setAttribute('style', convertStyle(rippleStyle));
Steps to Reproduce (for bugs)
HTML of a simple button:
The button waves effect will be blocked by a content security policy without 'unsafe-inline'.
Context
I'm trying to use Materialize on a web server with a properly configured content security policy. Using 'unsafe-inline' neutralizes most of the benefits of a content security policy. I suspect this will be an issue with more than just buttons, but I have only tested buttons so far. Likely, it's an issue with using
setAttribute
.Your Environment
The text was updated successfully, but these errors were encountered: