search

papnkukn / qrcode-svg

A simple QR Code generator in pure JavaScript / node.js library
MIT License
451 stars 93 forks source link

Incompatible with secure CSP #8

Open lol768 opened 4 years ago

lol768 commented 4 years ago

https://github.com/papnkukn/qrcode-svg/blob/47d56ec28fcd0a3aabbb5f11a34167a02a80c54e/lib/qrcode.js#L312-L317

Please don't do this, for those of us using this library on the web it will break on every sufficiently secured site which doesn't allow script-src 'unsafe-inline'.

For setting the fill colour, there's a perfectly good fill attribute you can use instead. For e.g. the crisp edges rendering, please just put the CSS in the README and let us apply it ourselves

qoomon commented 4 years ago

Can you explain which part will cause the csp violation, cause I cant locate the inline script. Is it because of the style attribute?

lol768 commented 4 years ago

Please don't do this, for those of us using this library on the web it will break on every sufficiently secured site which doesn't allow script-src 'unsafe-inline'.

Should read:

Please don't do this, for those of us using this library on the web it will break on every sufficiently secured site which doesn't allow style-src 'unsafe-inline'.

Apologies

qubyte commented 3 years ago

crisp-edges is also an attribute in SVG. I've opened a PR to address both: #22.