style attribute in fetch requests triggers XSS firewall rule

Problem/Motivation

On a site that will runs behind a firewall with the AWS WAF "core ruleset" enabled, we discovered that the preview requests generated by this module for resized images trigger one of the firewall rules. Since this is probably a pretty common choice of firewall rule, it might be worth addressing.

The "style" attribute is triggering the rule. (It's possible to use "style" in a cross-site scripting attack.) Since I don't see the "style" attribute being used in the rendered page or in the preview window, I wonder if this data could be passed through in a different way. Perhaps a "data-style" attribute could be used instead?

Steps to reproduce

After installing and configuring this module as described, add an image to a page and resize it. Save, then edit the page again. A fetch request will be made to a media/[editorname]/preview URL with some HTML for a drupal-media element with a attribute.

Proposed resolution

Revise the fetch query and accompanying logic to use a "data-style" attribute instead of "style"

Remaining tasks

User interface changes

API changes

Data model changes