Closed minht11 closed 2 years ago
Hi @minht11!
You're right, that might be an issue.
@borkeszmate just added the ability to set the async
option to solve this issue (#4) - v2.1.0
async: true
option (default behavior):
<link rel="preload" as="style" href="/assets/webfonts.859dc200.css">
<link rel="stylesheet" media="print" onload="this.onload=null;this.removeAttribute('media');" href="/assets/webfonts.859dc200.css">
async: false
option:
<link rel="preload" as="style" href="/assets/webfonts.859dc200.css">
<link rel="stylesheet" href="/assets/webfonts.859dc200.css">
Best, Bálint
Using inline event handlers with CSP is problematic, because for now Firefox and Safari do not support
unsafe-hashes
, that leaves onlyunsafe-inline
. If user could control the Javascript, or in this case completely disable it, they could add Javascript event listeners inside their own scripts, while keeping CSP strict.