vakata / jstree

jquery tree plugin
http://jstree.com
MIT License
5.15k stars 1.38k forks source link

How to use jsTree with Content Security Policy meta tag? #2515

Closed clouser closed 3 years ago

clouser commented 3 years ago

Hello. I have a requirement to add the following Content Security Policy mega tag to my application, but when I do I see errors in the browser console because the jsTree plugin uses inline styles. Are there any plans to remove inline styles from the plugin so applications can use CSP without the need to add unsafe-inline into their CSP tag?

<meta http-equiv="Content-Security-Policy" content="script-src 'self'; style-src 'self';">

vakata commented 3 years ago

I will check how many internal styles there are and why and get back to you.

vakata commented 3 years ago

My tests reveal that aside from the contextmenu plugin and the DND plugin, there are no inline styles (there is a worker too but that can be either part of the CSP or disabled). I may have missed something - let me know which plugins you use so that I can see what is wrong.