Support style CSP nonce for SVG renderer #472
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
xi
reviewed
Aug 19, 2025
| svg.setAttribute("style", "transform: translate(0,0)"); | ||
| if (this.options.xmlDocument) { | ||
| svg.setAttribute("style", "transform: translate(0,0)"); | ||
| } |
There was a problem hiding this comment.
Why does this even exist? translate(0,0) does nothing, or am I missing something?
|
I think the much simpler option would be to use SVG attributes. The thing that could get complicated is that there is no |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #450, closes #456
When used with a strict Content-Security-Policy, browsers will refuse to render the svg as inline styles are used.
The following error will be seen in console
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'nonce-nonce_placeholder'". Either the 'unsafe-inline' keyword, a hash ('sha256-eV8Xu0oi/phHwwFa2aajf5nivMeGhgQRxQsJ/TFjv+k='), or a nonce ('nonce-...') is required to enable inline executionThis pull request moves the styles to a dynamically generated style tag and allows the nonce attribute be set to the
nonceoption value or attempts to get the nonce value from<meta property="csp-nonce" nonce="nonce_placeholder" />This was tested using
example/cspNonce.html. In an actual implementation theContent-Security-Policyheader will be set by the server and the server will rewrite thenonce_placeholdervalue in the html file and not be set usingmeta http-equiv.