Closed danpalmer closed 8 years ago
Correct. It's preferable to use ExtractTextPlugin for production. I describe one way to use that at my book.
@bebraw @danpalmer - could using things like 'Radium' help mitigate these potential security issues?
@tsaiDavid Good question. Perhaps it would be the best to ask from the Radium guys directly. Feel free to CC me. :+1:
@tsaiDavid Did you ask the Radium guys? I wonder how they deal with this.
I was reading the cookbook, and just noticed this section.
Unless Webpack is doing something really sneaky here (which I don't think is the case, but do correct me if I'm wrong), these styles will end up being rendered into the page as inline styles on DOM elements.
This is generally poor for application security. Aspects of inline styles can be used in various attacks, including XSS attacks, and it's generally preferable to disable them with a Content Security Policy if possible.
I advise adding a warning to this section to say that it could cause security issues, and that it is not advised to use it in production.