CSP (Content-Security-Policy) violations when trying to use inline styles

[vikingair]

Error message from the dev console: (inserted some newlines for sake of readability)

getActionNameFromElement.ts:196 Refused to apply inline style because
it violates the following Content Security Policy directive:
"default-src 'self'". Either the 'unsafe-inline' keyword, 
a hash ('sha256-aEiIwOuxfzdCmLZe4oB1JsBmCUxwG8x+u+HBCV9JT8E='), or a nonce ('nonce-...') 
is required to enable inline execution. 
Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

So it requires me to use style-src 'self' 'unsafe-inline'; to work properly. I would like to have an option to disable this behavior and I'm actually curious why @datadog/browser-rum is trying to create inline styles.

[bcaudan]

Hi @fdc-viktor-luft,

Good catch, we indeed create a style element to check some browser behavior while computing action names, cf getActionNameFromElement.ts.
We will have a look to see if we can do the same without violating any CSP or if we need to update our CSP documentation.

We'll ping here with the conclusion either way.

[BenoitZugmeyer]

Hello @fdc-viktor-luft , just to let you know that a fix has been released in v3.6.9/v3.6.10. You should not need specific CPS rules for styles anymore.