Nessworthy
commented
7 years ago CSPs and element style attribute usage is a tricky business. There's no real work around as far as I can see other than adding unsafe-inline to your CSP. If you want to go hard on blocking inline styling, I wonder if you could provide a style nonce in the header, an option to set it in the plugin, and instead of the plugin using style attributes, to write to a style element instead.
As it stands, there's very little to be said about inline style attributes and nothing on how to explicitly allow specific ones on elements. The CSP spec is lacks granular control towards it (and equally so on javascript's inline event handler attributes too), making these kinds of problems very difficult to overcome without outright enabling inline styles..
bozdoz
The basic usage example does not work with the CSP header:
The button does not work but that can be easily worked around by calling
introJs().start()from the console, however the browser prevents multiple inline styles from running thus the positioning of the popup and overlay is wrong.