Refused to apply inline style because it violates the following Content Security Policy
I was trying to use inline styling, but suddenly the console is giving this error and ain't letting me do one important task.
each review in tour.reviews
.mc_reviews
.mcr_top
.mcrt_left
.mcrtl_pic
.mcrtlp_container
img(src=`images/users/${review.user.photo}`)
.mcrtl_name= `${review.user.name}`
.mcrt_mid
.mcrt_right
img(src='/images/star.png')
img(src='/images/star.png')
img(src='/images/star.png')
img(src='/images/star.png')
img(src='/images/star.png')
.mcrtr_overlay(style={'width': `${(review.rating)*20}%`})
.mcr_bottom= `"${review.review}"`
The above is a pug template where you can easily spot the inline content.
The inline style will help me color the stars based on rating of each reviewer.
Now that the issue is disturbing me!
I already have used the below code which I got from another post on stack overflow:
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'", 'data:', 'blob:'],
fontSrc: ["'self'", 'https:', 'data:'],
scriptSrc: ["'self'", 'unsafe-inline'],
scriptSrc: ["'self'", 'https://*.cloudflare.com'],
scriptSrcElem: ["'self'",'https:', 'https://*.cloudflare.com'],
styleSrc: ["'self'", 'https:', 'unsafe-inline'],
connectSrc: ["'self'", 'data', 'https://*.cloudflare.com']
},
})
);
I have also gone through many similar solutions, but none of them is working.
Please help!!!
Solution
The problem is that you are inserting inline style attributes. You have multiple options in security preferred order:
- Rewrite the code to add css class names instead of modifying style.
- Add the hash values corresponding to the 5 star ratings. The must be added with single quotes in the policy along with 'unsafe-hashes'.
- Add single quotes to unsafe-inline as "'unsafe-inline'" in your code. You're currently adding the source unsafe-inline, which is treated as a host-source not a keyword.
- Why anchor tag does not take height and width of its containing element
- Add <style> element to an HTML using Python Dominate library
- how to remove blue background on chrome autocomplete
- How do I use variable fonts with Google Fonts?
- JS manipulates the DOM, then CSS doesn't load properly on refresh, even though cache is disabled
- Align section heading with the first content item instead of centering in Flexbox layout
- Get rid of spaces between spans
- Remove button when logged in (wordpress)
- Is border-image possible in Tailwind?
- How to strike through obliquely with css
- CSS cross through an element
- Is pop-out effect using blob svg achievable?
- How to set borders between children from parent in CSS?
- Amazon S3 CORS (Cross-Origin Resource Sharing) and Firefox cross-domain font loading
- How do CSS triangles work?
- Making planets follow their orbit in HTML/CSS
- How to make row scroll (overflow) on x axis when reach max width
- Why is CSS flex not working when deployed?
- Radial progress bar using TailwindUI
- Column of h2 elements takes width of the biggest, how to prevent?
- HTML5 and CSS grid - Can't get it to fit the content
- How to disable scroll without hiding it?
- Tailwind CSS "justify-center" works if used with "flex-row" but doesnt work with "flex-col"
- How can I change the color of an 'svg' element?
- How to control website tinting in Safari 15
- How do you prevent header tags from stretching across the body width
- Dark mode flickers a white background for a millisecond on reload
- How can I set "cursor: pointer" on Vuetify v-data-table rows? (expanded item area excluded)
- How can I inspect the shadow DOM of native controls in Chrome developer tools?
- 100vh height when address bar is shown - Chrome Mobile