Closed xi closed 8 months ago
We can improve out documentation, our official recommendation is use https://github.com/webpack-contrib/style-loader#recommend and use style-loader only for development purposes for perf reasons, anyway in some cases developers want to inline CSS due to some internal reasons and we can't forbid it to them, when you should trust your code when you inline it
Documentation Is:
Please Explain in Detail...
Content Security Polcies (CSPs) make the web a safer place. Authors can use unsafe policies, but those are clearly labelled so authors do not use them by accident. One such unsafe policy is
unsafe-inline
.This loader heavily promotes unsafe-inline code: All available options for
injectType
except forlinkTag
are unsafe, including the default value (styleTag
). This makes it a barrier for the adoption of tighter CSPs. As this loader is used on a lot of websites, this has a huge impact on the security of the web in general.As discussed in #306 and #487, CSPs allow to use nonces for inline code. However, these are not a proper solution. The spec is quite clear about the many drawbacks of nonces:
Your Proposal for Changes
linkTag