Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Progress Bars violate CSP style-src directive unless directive has 'unsafe-inline' in it #17785

Closed
nchelluri opened this issue Oct 5, 2015 · 6 comments
Closed

Progress Bars violate CSP style-src directive unless directive has 'unsafe-inline' in it #17785

nchelluri opened this issue Oct 5, 2015 · 6 comments
Labels
css v3

Comments

@nchelluri
Copy link

I see this in the docs for v3.3.5 but I'm using an older 3.x version and see the behavior in my application.

From the docs: http://getbootstrap.com/components/#progress

<div class="progress-bar" role="progressbar" aria-valuenow="60" aria-valuemin="0" aria-valuemax="100" style="width: 60%;">

That last attribute, the inline style, causes a CSP violation for me (and I assume anyone else using an effective CSP policy, since 'unsafe-inline' is considered, well, unsafe).

A bit of searching helped me find an existing workaround for this issue: https://github.com/danielnixon/bootstrap-hacks/blob/master/progressbar.css

One thing to note is that I had to do a round on my percent values in order to make the bootstrap-hacks package work properly (e.g. aria-valuenow="50.0" doesn't work but aria-valuenow="50" does).
@cvrebert
Copy link
Collaborator

cvrebert commented Oct 5, 2015

That hack (add 100 declarations, one for each percentage point) is pretty gnarly; probably too gnarly for us to pursue.
attr() would be the obvious way to address this, but its browser support seems pretty lacking (https://developer.mozilla.org/en-US/docs/Web/CSS/attr#Browser_compatibility , Fyrd/caniuse#1209). So this might be a WontFix situation.
CC: @mdo

@nchelluri
Copy link
Author

An option a co-worker suggested to me ( @RobertWHurst ) was to put the style code into JS.

@patrickhlauke
Copy link
Member

As JS is needed anyway to make the progress bar actually work, this may be an option. My preference for v4 would be to use actual <progress> in the markup, styled as much as possible with CSS, and then gently polyfill it (replacing it with a styled <div> with relevant aria-* attributes in browsers that don't natively support <progress>)

@mdo
Copy link
Member

mdo commented Oct 13, 2015

So this might be a WontFix situation.

I'm in favor of that.

then gently polyfill it (replacing it with a styled

with relevant aria-* attributes in browsers that don't natively support )

Woof, sounds like a lot of overhead for not a lot of gain.

cvrebert added a commit that referenced this issue Oct 27, 2015
@cvrebert
Add docs regarding .progress, inline style attrs, and CSP; closes #17785
46d216c 


[skip sauce]
@cvrebert cvrebert mentioned this issue Oct 27, 2015
Merged
@cvrebert
Copy link
Collaborator

I propose documenting this and deeming it WontFix: #18080.

As JS is needed anyway to make the progress bar actually work

Eh, not really, IMHO. Progress bars that are only updated on page load are a thing.
E.g. "[progress bar goes here] You are 75% done answering this survey. Here's the next set of questions:"

cvrebert added a commit that referenced this issue Oct 30, 2015
@cvrebert
Add docs regarding .progress, inline style attrs, and CSP; closes #17785
6e1e77b 


[skip sauce]
@stgogm
Copy link

stgogm commented Dec 29, 2015

If you set the element's width through JavaScript it wont violate the CSP policy:

element.style.width = '30%';

krissihall pushed a commit to krissihall/bootstrap that referenced this issue Feb 24, 2016
Merge tag 'v3.3.6' of https://github.com/twbs/bootstrap into smcrossover
5d22f6b 
* tag 'v3.3.6' of https://github.com/twbs/bootstrap: (356 commits)
  prep release
  grunt after version bump
  bump version
  grunt
  Updating "Reporting upstream browser bugs" for IE
  Docs: Add missing `tabindex="-1"` & `role="dialog"` to some `.modal`s
  Ensure proper z-indexing in input-groups
  Fix IE9 clickthru of carousel controls
  that @cvrebert lifestyle
  fixes twbs#17003
  [v3] Use border-radius mixin in button-groups.less
  Follow up to twbs#16975
  Run `grunt`.
  Update devDependencies.
  Update verb tenses to proper tense for feature deprecations
  Port 33103c0 to v3
  Port 6f14f02 to v3
  Add http://wkbug.com/150715 to Wall of Browser Bugs
  Add docs regarding .progress, inline style attrs, and CSP; closes twbs#17785
  Run `grunt.
  ...
@david-a-wheeler david-a-wheeler mentioned this issue Feb 26, 2016
Closed
chiraggmodi pushed a commit to chiraggmodi/bootstrap that referenced this issue Apr 8, 2019
@cvrebert @chiragatlas
Add docs regarding .progress, inline style attrs, and CSP; closes twb…
27725d6 
…s#17785

[skip sauce]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
css v3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mdo @nchelluri @cvrebert @patrickhlauke @stgogm and others