bebraw
commented
8 years ago Correct. It's preferable to use ExtractTextPlugin for production. I describe one way to use that at my book.
Closed danpalmer closed 8 years ago
bebraw
commented
8 years ago Correct. It's preferable to use ExtractTextPlugin for production. I describe one way to use that at my book.
tsaiDavid
commented
8 years ago @bebraw @danpalmer - could using things like 'Radium' help mitigate these potential security issues?
bebraw
commented
8 years ago @tsaiDavid Good question. Perhaps it would be the best to ask from the Radium guys directly. Feel free to CC me. :+1:
bebraw
commented
8 years ago @tsaiDavid Did you ask the Radium guys? I wonder how they deal with this.
I was reading the cookbook, and just noticed this section.
Unless Webpack is doing something really sneaky here (which I don't think is the case, but do correct me if I'm wrong), these styles will end up being rendered into the page as inline styles on DOM elements.
This is generally poor for application security. Aspects of inline styles can be used in various attacks, including XSS attacks, and it's generally preferable to disable them with a Content Security Policy if possible.
I advise adding a warning to this section to say that it could cause security issues, and that it is not advised to use it in production.