Chosen causes CSP violation

Created on 18 December 2023, over 1 year ago

Problem/Motivation

The JavaScript that integrates Chosen with this module causes CSP violations:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-Equl_2eohxDGRCJcCxBV7g'". Either the 'unsafe-inline' keyword, a hash ('sha256-WSyK6rX8LkmsLk4KZ+sgst7zNWGGx0TTFHVs96TQk+4='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

This is caused by the following line:
select.attr('style','display:visible; position:absolute; width:0px; height: 0px; clip:rect(0,0,0,0)');

Steps to reproduce

Enable a strict Content Security Policy without the unsafe-inline directive (e.g. using the CSP module → )

Proposed resolution

Add a CSS class instead of setting the style attribute.

🐛 Bug report

Status

Postponed

Version

4.0

Component

Code

Created by

🇧🇪Belgium dieterholvoet Brussels

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @dieterholvoet
Status changed to Postponed over 1 year ago2:40pm 18 December 2023
Comment over 1 year ago →
🇧🇪Belgium dieterholvoet Brussels
The current fix in 🐛 Client-side-validation broken with Chosen Needs review fixes this issue as well, so let's wait until that one gets committed.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024