Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Does not support Content Security Policy (CSP) nonce, only unsafe-inline css
See original GitHub issueCannot use “script-src 'nonce-…” only supports “style-src ‘self’ ‘unsafe-inline’;”
In fullcalendar.js starting at line 11408:
// Generates an HTML attribute string for setting the width of the axis, if it is known
AgendaView.prototype.axisStyleAttr = function () {
if (this.axisWidth != null) {
return 'style="width:' + this.axisWidth + 'px"'; <--------- violation will not load
}
return '';
};
Issue Analytics
- State:
- Created 5 years ago
- Reactions:3
- Comments:19 (9 by maintainers)
Top Results From Across the Web
CSP Allow Inline Styles - Content Security Policy
When you enable CSP, it will block inline styles, but there are some ways that you can allow inline styles and still use...
Read more >CSP: style-src - HTTP - MDN Web Docs - Mozilla
The HTTP Content-Security-Policy (CSP) style-src directive specifies valid sources for stylesheets. ... Yes. If this directive is absent, the user ...
Read more >Strict CSP - Content Security Policy
Older browsers, which don't support nonces, will see unsafe-inline and allow inline scripts to execute.
Read more >"inline-style"-Error with Content Security Policy and Javascript
Either the 'unsafe-inline' keyword, a hash ('sha256-ZBTj5RHLnrF+IxdRZM2RuLfjTJQXNSi7fLQHr09onfY='), or a nonce ('nonce-...') is required to ...
Read more >Use Tag Manager with a Content Security Policy
If the recommended nonce or hash approaches are not feasible, it is possible to enable the Tag Manager inline script by adding the...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
this is no longer an issue in v5, which has just been released
Demo:
https://codepen.io/halfninja/pen/dgRPzK
In the HTML head I’ve added the below, which adds a Content Security Policy (normally it would be an HTTP header). The long hashes in here are just to allow the main fullcalendar CSS and demo CSS to load in CodePen.
<meta http-equiv="Content-Security-Policy" content="style-src 'self' 'sha256-3wE6om7wsjgmaEcN8PeaBW8gFRhfuO4E3h37DMXo3cM=' 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'">You will see the problem in the console when you switch to week and day views, as it refuses to apply anything provided as a style attribute:
Adding
'unsafe-inline'isn’t an option because that undermines the whole point of CSP. @codemasterover9000 has the general idea, though I know that this is not easy in practice because of how fullcalendar uses strings of HTML to pass everything around. It would be a lot easier to fix if it created DOM elements and passed those around.To be honest I can’t actually tell any visual difference with or without these width styles being set, so I’m not sure how necessary they are.
If you’re only setting a small subset of styles like width, then a workaround could be to set a data attribute like
data-width="40px"and then once you have dropped everything into innerHTML, search for any elements with that attribute and copy the value toelement.style.width. Might sound a bit hacky but would avoid having to completely redesign how the library renders stuff.