This repository has been archived by the owner on May 29, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6.7k
Accordion: href="javascript:void(0);" Content Security Policy (CSP) Error #3904
Labels
Milestone
Comments
CSP compatability would be a great goal for UI Bootstrap. It's certainly a lot of work, but it's great if libraries don't stand in the way of hardening web sites. |
Is there any other problems as far as CSP is concerned inside UI Bootstrap other than the improper href usage? |
The other - and probably more difficult one - would be inline styles. |
Is ng-style still considered ok? |
TBH, I don't know. Without |
I have opened a new ticket for the broader CSP question at #3911. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
PR #2869 introduced an empty href attribute to enable keyboard accessibility for toggling accordion groups. This introduced a page refresh issue which was fixed by #3299. The fix for this was introducing a noop via javascript.void(0) to the href attribute. The result of this change is that it breaks the CSP rules such as our use case where we've disabled all inline javascript execution. This needs an alternative workaround that doesn't rely on having an inline script for the empty href attribute.
Please see https://developer.mozilla.org/en-US/docs/Web/Security/CSP for a quick introduction to CSP.
The text was updated successfully, but these errors were encountered: