Support 'strict-dynamic' in style-src #399
Comments
|
For myself, I have JavaScript files approved by a nonce, that dynamically generate styles. Since the JavaScript is approved by CSP, the contents - including the dynamic style should be too. I hope that a 'strict-dynamic' for style-src would help with this situation too or maybe something similar. |
6 tasks
|
Any update on this? |
|
This was raised again recently in #625, but there doesn't seem to be much discussion there either. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is related to a recent Twitter discussion about
style-src-elem.For a policy that aims to restrict styles by requiring nonces for style elements (
style-src-elem 'nonce-foo'), but allows inline style attributes (style-src-attr 'unsafe-inline') it would be helpful to allow nonced/hashed stylesheets to load additional CSS without requiring a nonce for such loads; in fact, there is currently no way for@import url(foo.css)to set a nonce.I think the main effect of supporting
'strict-dynamic'for styles would be allowing@importrules to load additional stylesheets. We could also drop the URL-based source list for backcompat, similarly toscript-src.@mikewest
The text was updated successfully, but these errors were encountered: