Define how / what CSP is applied to constructed stylesheet #26
Comments
|
I'm no expert on this topic, and from the glance at the spec it looks I'd like to solicit from experts' opinions. |
TakayoshiKochi
added
the
needs resolution
|
It is unfortunate but the interaction between CSSOM and CSP is not well-defined at all. The spec does suggest |
|
But on the other hand, presently if you create an element in javascript and set some style on it and then add it to the document, the style-src is never involved even though you have affected the style of an element (should it be?). Maybe by that logic the answer is that style-src does not need to be involved necessarily. |
|
@andypaicu re your #26 (comment) Does the example below is a case where no CSP check is applied? let div = document.createElement('div');
div.textContent = 'Hello World';
div.style.color = 'green';
document.body.appendChild(div);To help understand the case here (constructable stylesheet), let script = document.createElement('style');
script.textContent = 'your-element { color: green; }';
document.body.appendChild(style); // Get the sheet parsed
return style.sheet; // return constructed CSSStyleSheetThis is close to what happens inside an engine, but actual attachment to the body doesn't happen in a constructor, and actual style application happens when the element whose style is affected by the given styleheet is added to the document. So in a sense this is similar to when |
|
@andypaicu ping? |
This is spun off from #25 (comment).
This needs to be clarifed for construction from string, and
@import-ed style from it (once #25 resolves to allow it).The text was updated successfully, but these errors were encountered: