Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Change transitions to not require `style-src 'unsafe-inline'` CSP.

See original GitHub issue

Describe the problem

The way CSS transitions are currently handled they inject inline attribute styles into the element. This requires the site use style-src 'unsafe-inline'.

Describe the proposed solution

I’m not entirely sure how this works, but I’ve seen some inline attribute styles be accepted under style-src 'self' while others are not. Specifically, these spinners seem to work just fine even under a strict CSP.

It appears as though defining CSS variables inline is actually allowed? I haven’t seen any documentation about that in particular, though. If true, Svelte transitions could in principle be changed to work like the above, where the transitions are defined in CSS documents, configured by inline variables, and applied by a class change.

This is essentially a cnange only in the internal handling of transitions (and possible animations?), and wouldn’t have any effect on how they are used in Svelte code.

Alternatives considered

Don’t use transitions if you want a strict CSP.

Make your own transitions by hand.

Importance

would make my life easier

Issue Analytics

State:
Created 2 years ago
Reactions:8
Comments:20 (1 by maintainers)

Top GitHub Comments

2reactions

Karlinatorcommented, Sep 11, 2021

A workaround for this issue: adding 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' (the hash value for an empty string) to your CSP’s style-src allows Svelte to insert the empty document which it can then modify without violating CSP.

This is not in my opinion a very good solution (it’s a very weird and specific thing to require), but it does work.

2reactions

cor3000commented, Aug 30, 2021

I had the same experience a while back, luckily creating a custom (fly in/out) transition for my purpose was trivial, thanks to the brilliantly simple but flexible API. Instead of setting/animating the style property, I used JS api to set element styles directly.

e.g. a simple fly in animation (similar to slide which caused CSP errors): https://svelte.dev/repl/e177537996964518a97c27dd0bee2d43?version=3.42.4