search

mkhairi / materialize-sass

Materializecss rubygem for Rails Asset Pipeline / Sprockets
http://materialize.labs.my/
MIT License
806 stars 243 forks source link

Avoid setAttribute for CSP compliance #186

Open evs-ch opened 5 years ago

evs-ch commented 5 years ago

We're using materialize-sass with Rails with a strict CSP config. Using setAttribute('style', style) causes issues the style policy. element.style = ... is CSP compliant and could be used instead. jQuery offers .css(), which uses the aforementioned .style. This PR changes the problematic setAttribute calls to using a setStyle() function which checks if jQuery is loaded and uses .css() if possible or falls back to setAttribute. It might be possible to enhance the function to fall back to looping through the styles and directly applying them with .style =, but I didn't look into that yet.

Using this PR with appropriate settings in Rails' content_security_policy.rb at least fixed all the CSP conflicts we had with materialize-sass.

mkhairi commented 5 years ago

Hi @evs-ch, Thanks for pr. Would you mind to make this pr to the official materializecss repo instead of here? I will update this assets base on official repo. Thanks again.

evs-ch commented 5 years ago

Makes sense, I'll do that.