search

feat-agency / vite-plugin-webfont-dl

⚡ Webfont Download Vite Plugin - Make your Vite site load faster
MIT License
302 stars 11 forks source link

Allow customising or disabling inline JavaScript. #3

Closed minht11 closed 2 years ago

minht11 commented 2 years ago

Using inline event handlers with CSP is problematic, because for now Firefox and Safari do not support unsafe-hashes, that leaves only unsafe-inline. If user could control the Javascript, or in this case completely disable it, they could add Javascript event listeners inside their own scripts, while keeping CSP strict.

0xb4lint commented 2 years ago

Hi @minht11!

You're right, that might be an issue.

@borkeszmate just added the ability to set the async option to solve this issue (#4) - v2.1.0

async: true option (default behavior):

<link rel="preload" as="style" href="/assets/webfonts.859dc200.css">
<link rel="stylesheet" media="print" onload="this.onload=null;this.removeAttribute('media');" href="/assets/webfonts.859dc200.css">

async: false option:

<link rel="preload" as="style" href="/assets/webfonts.859dc200.css">
<link rel="stylesheet" href="/assets/webfonts.859dc200.css">

Best, Bálint