New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content Security Policy violation: inline styles unsafe #384
Comments
For bug reports, please include a jsfiddle in order for us to be able to reproduce the issue.
|
I can't. Unless I can tell JSFiddle which headers to send back from the server. Any CSP that doesn't allow "unsafe-inline" (which is an arguably bad CSP - see https://securityheaders.io) will block it from running. |
@limonte It's impossible (or, really hard) to reproduce on JSFiddle, since it requires the The CSP rule blocks inline styles, but not CSSOM (eg. blocks The main problem here is testing it. It would require setting up a server that serves files with the proper HTTP headers, and some code to load it. I'll look into fixing this. |
Thanks @birjolaxew 😄 FWIW, I would recommend Caddy (disclaimer: author); it runs everywhere without trouble and is very easy to set this header. In fact, just put this in a file called
These are the security-related headers I'm currently using. Basically, you just need to un-inline the |
Awesome - thanks! |
Works great - thank you! |
All credits to @birjolaxew - he's the rockstar of this plugin 🎸 |
getting same issue with v7.12.9 sweetalert2.all.js:2001 Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self' data: gap://ready". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback. |
It looks like for you project you need to include CSS styles manually: <script src="sweetalert2.min.js"></script>
<link rel="stylesheet" href="sweetalert2.min.css"> |
@limonte I'm having the same issue with 7.25.6 and webpack. My code: import Swal from 'sweetalert2'
Swal({ ... }); Error: Also tried adding styles separately with |
@binarious try this: // import sweetalert2 without inline styles
import swal from 'sweetalert2/dist/sweetalert2.js'
// import styles separately
import 'sweetalert2/dist/sweetalert2.css' |
|
Trying out this fork just to compare with the original thing. I do notice this (and the original might have this issue too, I forgot to check):
I could just hash the contents but I don't want to have to update the server configuration (CSP header) every time I update SWAL.
The text was updated successfully, but these errors were encountered: