search

carbon-design-system / ibm-products

A Carbon-powered React component library for IBM Products
https://ibm-products.carbondesignsystem.com
Apache License 2.0
98 stars 138 forks source link

[CSP]: Content security policy violations in SVGs #6178

Closed amal-k-joy closed 1 month ago

amal-k-joy commented 1 month ago

Package

Carbon for IBM Products

Description

Violation throwing from the SVGs used inside the empty state component

Component(s) impacted

Datagrid, EmptyState, HTTPError

Browser

Chrome

@carbon/ibm-products (previously @carbon/ibm-cloud-cognitive) version

v2.49.0

Suggested Severity

None

Product/offering

na

CodeSandbox or Stackblitz example

https://stackblitz.com/edit/github-fenvlt-5kkbmk?file=index.html

Steps to reproduce the issue (if applicable)

Run the stackblitz and check the console. This style is being injected dynamically

Image

https://github.com/user-attachments/assets/fe8f76a6-a492-4da4-9851-e0680726ad01

Release date (if applicable)

No response

Code of Conduct

### Tasks
- [x] EmptyStates/assets/NotificationsIllustration.js
- [x] EmptyStates/assets/NoDataIllustration.js
- [ ] ~HTTPErrorSvg403.js~
- [ ] ~HTTPErrorSvg404.js~
- [ ] ~HTTPErrorSvgOther.js~
matthewgallo commented 1 month ago

There is some discussion here about the handling of style attributes in svgs from core that could provide some helpful insight.

AlexanderMelox commented 1 month ago

No need to touch deprecated SVG's