-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
loading local stylesheets without self source #676
Comments
It looks like you have a minor typo in your hash, but that's not the source of the issue
From the spec, only the script matching algorithm includes "Does integrity metadata match source list?", so the spec would need a change to also permit external style resources by integrity hash. The hash for external scripts is only checked if the |
Hi Geoff! Good catch! I was probably testing and forgot to revert the change. Thanks for the reference! :) |
I am encountering difficulties loading local stylesheets using the
style-src-elem
directive without includingself
as a source when usingdefault-src 'none'
.Here is a simple example of the issue:
This setup fails to load when using the following CSP configuration:
I have tried adding the integrity attribute, but it did not resolve the issue.
I tested with both Chrome and Firefox and encountered the same issue on both. The stylesheet gets blocked due to CSP violations.
Is it possible to load a local stylesheet without whitelisting 'self' as a source? Of so, what am i missing in my configuration?
I have set up a repository that replicates this behavior for testing:
https://github.com/nizos/csp-docker
Any guidance or clarification on whether this is expected behavior according to the CSP spec is greatly appreciated.
Thanks in advance!
The text was updated successfully, but these errors were encountered: