search

antoniandre / wave-ui

A UI framework for Vue.js 3 (and 2) with only the bright side. ☀️
https://antoniandre.github.io/wave-ui
MIT License
549 stars 40 forks source link

Font loaded as data: URI will be blocked by robust content security policies #70

Open cwaldbieser opened 3 years ago

cwaldbieser commented 3 years ago

_icons.scss uses a data: uri. This can be blocked by strict content security policies. Could the font just be moved to an actual asset file?

antoniandre commented 10 months ago

For later references, this specific CSP allows the inline icons font from Wave UI and it still fairly restrictive.

<IfModule mod_headers.c>
  Header set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:;"
</IfModule>

On one hand it is very convenient and optimized to have this icons set embedded in a few lines of code (this set will likely not change in any near future, and it spares an extra HTTP request unless it's already bundled.) On another hand I understand this is not a best practice to allow styles sources to be inline in data. This is why this issue stays open forever until I resolve myself to change the behavior or close.

Later other votes could also motivate the change.