Inline styles and Content Security Policy

[penartur]

As of now, Chosen for JQuery does not work correctly when inline styles usage is forbidden by an appropriate Content-Security-Policy.
The problem is that, when it creates the "chosen" menu in set_up_html, it uses "style" param to specify width:

chosen/coffee/chosen.jquery.coffee

Line 35 in 910a125

'style': "width: #{this.container_width()};"

JQuery supports specifying the width directly (not by CSS properties): http://api.jquery.com/width/ ; this one should solve the problem.

Unfortunately, writing front-end JS compatible across different browsers (and testing it) is not my strong side, so I'll only create this issue, and will not supply any pull request with it.

[stof]

@penartur jQuery.width sets inline styles too.

[okdana]

Bumping. This is still an issue — Chosen does not like CSP very much.

Here's an example of the kind of errors you get with style-src: 'self' (using Chrome here because its console output is more explicit, but the same problem occurs in Firefox or where-ever):

This is what causes that particular error:

div = $('<div />', {
    'style': style_block
});

However, there are issues in other places, too, like here (the line OP linked) and here.

I am not a super expert front-end dev either, but as far as i understand it, this is caused by writing directly to an element's style attribute. Modifying individual properties on an HTMLElement's style property, on the other hand, should not run afoul of these restrictions.