Reputation: 12837
Applying style using JS when Content Security Policy is in effect
I'm trying to set an element's background color using Javascript, and I have a Content Security Policy with style-src 'self'.
I'm able to do things like $(el).css("display", "none") from Javascript, but $(el).css("background-color", "#FFF") fails due to the CSP. The same happens when I try doing el.style.backgroundColor = "#FFF".
The #FFF is actually coming from the database, so I don't have a way of putting that into a static CSS file. Is there any way that I can set the background color dynamically without allowing all inline style?
Upvotes: 0
Views: 399
Answers (1)
Reputation: 12837
The problem ended up being that el was inside a block managed by Tooltipster. Tooltipster clones the content of the tooltip before displaying it, so even though the style was actually set successfully on the original el, when the clone was inserted into the DOM, the browser saw that the element had a style tag, and blocked it.
Upvotes: 1
Related Questions
- Way to handle inline styles added from external library respecting CSP
- Refused to apply inline style because it violates the following Content Security Policy directive
- Add nonce to style inline
- Content Security Policy bypass
- Content security policy including a script
- Content Security Policy - style-src does not prevent inline styles
- How to let script to use setAttribute 'style' without breaking CSP
- Handling Content Security Policy in .htaccess
- Why can I set styles in JS without violating Content Security Policy's style-src 'self'?
- "inline-style"-Error with Content Security Policy and Javascript