Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Iconify script causes CSP violations

See original GitHub issue

I’m working on a web app that uses the hosted iconify 1.0.4 script. I recently started sending Content Security Policy headers. This causes the iconify script to fail because it’s attempting to apply an inline style dynamically.

Screen Shot 2020-03-29 at 7 56 57 PM

To fix this, Chrome recommends either using the 'unsafe-inline' option, but that opens the door for everything and elsewhere they strongly recommend avoiding it. The other option is to us add a hash for the style. But if you look closely at the screenshot, the hash it recommends is already in my CSP.

Yeah, there’s a bug in Chromium.

According to that bug, the real fix for now is to use 'unsafe-hashes' along with the hashes of the iconify scripts. In my case that ends up being script-src-attr 'unsafe-hashes' 'sha256-QlrbM8aOqzBK0DIi4eTKHWBQeoYW8/V+N7qXwMcKmqo='. That worked to address the errors. I’m still concerned about using 'unsafe-hashes' but it’s way better than 'unsafe-inline'.

This might be worth adding to your documentation.

I haven’t dug into the iconify script enough to understand whether the functionality that violates CSP is essential behavior or if there are workarounds that could be employed. So I thought I’d ask here.

Thanks!

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
cyberaliencommented, Mar 31, 2020

It isn’t possible because it would break backwards compatibility. Some users might rely on that stylesheet being injected.

If you really want to get rid of that message, the only option is to build custom version of Iconify. Clone this repository, open src/browser/init.js, remove this code:


    /**
     * Add stylesheet
     *
     * @param timed
     * @returns {boolean}
     */
    local.addStylesheet = function(timed) {
        var el;

        if (!document.head || !document.body) {
            if (local.domready) {
                // head or body is missing, but document is ready? weird
                return true;
            }
            if (!timed) {
                local.initTimeout(local.addStylesheet.bind(null, true));
            }
            return false;
        }

        // Add Iconify stylesheet
        try {
            el = document.createElement('style');
            el.type = 'text/css';
            el.innerHTML = 'span.iconify, i.iconify, iconify-icon { display: inline-block; width: 1em; }';
            if (document.head.firstChild !== null) {
                document.head.insertBefore(el, document.head.firstChild);
            } else {
                document.head.appendChild(el);
            }
        } catch (err) {}

        return true;
    };
    local.initQueue.push(local.addStylesheet.bind(null, false));

then rebuild package. To rebuild it run these commands:

npm install
npm run build

Then you can use iconify.min.js from directory dist

0reactions
Juneezeecommented, Mar 31, 2020

@cyberalien Hi, in version 1.0.5, I still get one style-src error about unsafe-inline. Is it possible not to set or inject any style to avoid this error?

image

EDIT: The error comes from this line in iconify.js image

Thanks

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to fix 'because it violates the following content security ...
Blocked by Content Security Policy. 'csp error because it violates the following content security policy directive'. Content Security Policy error message.
Read more >
Html Error: Refused to load the script because it violates the ...
Therefore the reason is in your web-server - it's publish the Content Security Policy "script-src 'self'" by default.
Read more >
Iconify Won't Work On Extensions Page · Issue #56 - GitHub
html:121 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'" ...
Read more >
issues • Codicons • Iconify
IconifyIcon web component makes using icons as easy as icon fonts. To use "issues" in HTML, add this code to the document:.
Read more >
Content Security Policy Level 3 - W3C
Violation reports generated from inline script or style will now report " inline " as the blocked resource. Likewise, blocked eval() execution ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Icon not showing in simple JavaScript

Next page

Feature Request: Support for title attribute