search

ruffle-rs / ruffle

A Flash Player emulator written in Rust
https://ruffle.rs
Other
15.2k stars 787 forks source link

Inline styles not applied if CSP prevents it #9046

Open Lord-McSweeney opened 1 year ago

Lord-McSweeney commented 1 year ago

Describe the bug

Ruffle has inline styles that it applies to the HTML side of the renderer. If the page's content security policy prevents this (usually with an error like this: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha-256...' ". Either the 'unsafe-inline' keyword, a hash ('sha256-eXLVRG1fNBRqEdQ/lv9ExLPONdROV5NnbCYNGLj3gsA='), or a nonce ('nonce-...') is required to enable inline execution), all of Ruffle's styles mess up. Example: https://evilgames.eu/flashgames/fireboy-and-watergirl-in-the-forest-temple.htm (extension required).

Expected behavior

The styles still apply.

Affected platform

Browser's extension

Operating system

Linux

Browser

Chrome 108

Additional information

The problem can be fixed by loading the styles from Ruffle's extension files seperately (putting a stylesheet in web_accessible_resources).

n0samu commented 1 year ago

Strangely, the issue seems not to occur in Firefox.

GhostlyDark commented 1 year ago

I relaxed the CSP on the website, so this is currently not reproducable there. The CSP has to allow for 'unsafe-inline' to allow for any ruffle version to work (or at least allow the style-src-elem), as <style> is used multiple times by ruffle to display things (see shadow-template.ts).

Hashes may be used instead, but are likely to break the extension and are a hassle when it comes to updating ruffle. It is unlikely for websites to use such strict CSP rules however.