CSP #340
Comments
|
what is CSP? |
|
CSP stands for Content Security Policy |
|
Does this commit:
82e3f88
address your concern? It looks like you can set 'insecure=false' as a
property and avoid style injection. Or am I misunderstanding the issue?
…On Mon, Apr 9, 2018 at 2:11 AM, Markus Voss ***@***.***> wrote:
CSP stands for Content Security Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#340 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AS_pnbZJye3LfppAxg0rUM1CyGX2C5zmks5tmvuAgaJpZM4Ph19i>
.
|
|
@aronhelser the thing is that your styles are being embedded on the page by one of your js files and it does not work with strict content security policy unless you put the hash. So the question is can you move all your styles to a separate css file? |
|
@myfoxtail could you try out the |
|
Hi @aronhelser Thank you for the response. I'm afraid that the package you deliver with npm does not contain any css files (please refer to image below):
Though I can see that it's in the source code. |
|
I also can't find the default styles in the package (and what if we want to customize the styles?) I think a better way to do this would be to use webpack_nonce. Other libraries face the same issue for strict CSPs, see styled-components/styled-components#1022 for example. Working on a PR for this. |
|
@aronhelser is the insecure prop still needed now that ce365fe was merged ? |
|
Personally, I would prefer to include the CSS file myself. It would be great if the CSS file would be added to the NPM package. On my site, the dynamic CSS file is sometimes inserted a little too late, displaying the popup text. |
|
Already change the style imported. |
jafin
pushed a commit
to jafin/react-tooltip
that referenced
this issue
Sep 30, 2022
# 1.0.0-alpha.1 (2022-04-03) ### Bug Fixes * add aria hidden attribute to style tag ([ReactTooltip#703](https://github.com/CodeForked/react-tooltip/issues/703)) ([d60c2b7](CodeForked/react-tooltip@d60c2b7)) * **aftershow:** call afterShow only after state has fully updated ([54752e8](CodeForked/react-tooltip@54752e8)) * **aphrodite_jss_deprecation:** aphrodite_jss replaced with custom solution ([fcdf7f1](CodeForked/react-tooltip@fcdf7f1)) * **aphrodite_jss_deprecation:** aphrodite_jss replaced with custom solution ([92fcf5b](CodeForked/react-tooltip@92fcf5b)) * **build:** removing single quotes on cpy for windows shell ([ReactTooltip#632](https://github.com/CodeForked/react-tooltip/issues/632)) ([9c280af](CodeForked/react-tooltip@9c280af)) * **colors:** allow customizable text, background, border, arrow colors ([9a85253](CodeForked/react-tooltip@9a85253)) * **compability:** add polyfill and change styles ([ReactTooltip#706](https://github.com/CodeForked/react-tooltip/issues/706)) ([b6e9a1c](CodeForked/react-tooltip@b6e9a1c)) * deleting warning in peer dependencies ([f30ae74](CodeForked/react-tooltip@f30ae74)) * do not delay show if tooltip is already shown ([ReactTooltip#676](https://github.com/CodeForked/react-tooltip/issues/676)) ([e8b9d84](CodeForked/react-tooltip@e8b9d84)) * **domexception:** revert previous changed for unexpected behavior ([85e38bb](CodeForked/react-tooltip@85e38bb)), closes [ReactTooltip#667](https://github.com/CodeForked/react-tooltip/issues/667) * effect and type not properly applied at first render ([a8d0e51](CodeForked/react-tooltip@a8d0e51)) * **event:** expose the original event to `afterShow` and `afterHide` ([e2f973e](CodeForked/react-tooltip@e2f973e)) * **example:** 'made dev' works again, small fixes. ([7b286bb](CodeForked/react-tooltip@7b286bb)), closes [ReactTooltip#328](https://github.com/CodeForked/react-tooltip/issues/328) [ReactTooltip#341](https://github.com/CodeForked/react-tooltip/issues/341) * **example:** <p> warning from react, make text match code. ([7c4c979](CodeForked/react-tooltip@7c4c979)) * **examples:** add SVG example ([72a98d7](CodeForked/react-tooltip@72a98d7)) * fix ie edge CustomEvent bug ([ReactTooltip#567](https://github.com/CodeForked/react-tooltip/issues/567)) ([b7f04f7](CodeForked/react-tooltip@b7f04f7)), closes [ReactTooltip#498](https://github.com/CodeForked/react-tooltip/issues/498) * **getPosition Util:** Remove shouldUpdatePlace check from position check ([1f8a054](CodeForked/react-tooltip@1f8a054)), closes [ReactTooltip#574](https://github.com/CodeForked/react-tooltip/issues/574) * **getposition:** properly determine parents with will-change: transform ([3a76250](CodeForked/react-tooltip@3a76250)) * **getPosition:** updated getPosition to fix 'maximum update depth' ([8fda305](CodeForked/react-tooltip@8fda305)) * **githubPage:** updating github page build in travis ([87b810a](CodeForked/react-tooltip@87b810a)) * **html:** remove sanitize-html-react, reduce package size ([177ac11](CodeForked/react-tooltip@177ac11)), closes [ReactTooltip#429](https://github.com/CodeForked/react-tooltip/issues/429) * **index.js:** add missing argument so tooltip hides. ([4d3661b](CodeForked/react-tooltip@4d3661b)) * **index.js:** fix exception when testing with Jest ([ReactTooltip#682](https://github.com/CodeForked/react-tooltip/issues/682)) ([f885f1f](CodeForked/react-tooltip@f885f1f)) * **index.js:** fix state initialization ([69dea07](CodeForked/react-tooltip@69dea07)) * **index.js:** Replaced the deprecated `componentWillReceiveProps`. ([80b71ed](CodeForked/react-tooltip@80b71ed)) * **index.js:** Use correct orientation when mouse enters ([4a0da8b](CodeForked/react-tooltip@4a0da8b)), closes [ReactTooltip#388](https://github.com/CodeForked/react-tooltip/issues/388) * install dependencies in example travis ([7ba8b28](CodeForked/react-tooltip@7ba8b28)) * **isCapture:** better guard that preserves logic ([28b8493](CodeForked/react-tooltip@28b8493)) * **isCapture:** guard use of currentTarget ([4f89a2d](CodeForked/react-tooltip@4f89a2d)) * **lint:** styles are now linted with stylelint ([3c17198](CodeForked/react-tooltip@3c17198)) * made it possible to pass uuid instead of generating one internally ([ReactTooltip#583](https://github.com/CodeForked/react-tooltip/issues/583)) ([083edfb](CodeForked/react-tooltip@083edfb)), closes [ReactTooltip#580](https://github.com/CodeForked/react-tooltip/issues/580) * mark prop-types and uuid as external to avoid bundling them ([ReactTooltip#582](https://github.com/CodeForked/react-tooltip/issues/582)) ([fb60855](CodeForked/react-tooltip@fb60855)) * modifying example ([9dc0b2e](CodeForked/react-tooltip@9dc0b2e)) * **no_var:** no vars allowed ([c591804](CodeForked/react-tooltip@c591804)) * **overridePosition:** providing currentEvent in overridePosition ([ReactTooltip#563](https://github.com/CodeForked/react-tooltip/issues/563)) ([3e75a09](CodeForked/react-tooltip@3e75a09)), closes [ReactTooltip#513](https://github.com/CodeForked/react-tooltip/issues/513) * performance issue caused by excessive use of clearTimeout/Interval ([22aea50](CodeForked/react-tooltip@22aea50)) * providing currentTarget in overridePosition ([ReactTooltip#564](https://github.com/CodeForked/react-tooltip/issues/564)) ([22c3bac](CodeForked/react-tooltip@22c3bac)) * **pr:** package.json fix; refactoring to exclude dependencies ([fdc17d4](CodeForked/react-tooltip@fdc17d4)) * release event listners ([ReactTooltip#534](https://github.com/CodeForked/react-tooltip/issues/534)) ([7cc1203](CodeForked/react-tooltip@7cc1203)) * **selector:** Add support for shadow DOM elements ([99be4d1](CodeForked/react-tooltip@99be4d1)) * **selector:** lint fixes ([873c2a8](CodeForked/react-tooltip@873c2a8)) * set aria-describedby value wrong when custom id ([a04d26c](CodeForked/react-tooltip@a04d26c)) * **showtooltip:** check if tooltipRef is undefined ([ReactTooltip#623](https://github.com/CodeForked/react-tooltip/issues/623)) ([f63eab2](CodeForked/react-tooltip@f63eab2)) * skip warning in example ([a555060](CodeForked/react-tooltip@a555060)) * **src/index.js:** add accessibility support for tabbing ([ReactTooltip#695](https://github.com/CodeForked/react-tooltip/issues/695)) ([ae936a5](CodeForked/react-tooltip@ae936a5)) * **src/index.js:** hide tooltip if blurred (tabbed out) ([ReactTooltip#699](https://github.com/CodeForked/react-tooltip/issues/699)) ([e0a2a1d](CodeForked/react-tooltip@e0a2a1d)) * **src/index.js:** Overwrite `delayHide` on scroll ([7a2d0b3](CodeForked/react-tooltip@7a2d0b3)), closes [ReactTooltip#474](https://github.com/CodeForked/react-tooltip/issues/474) * **staticMethods:** fixing IE event bug ([ReactTooltip#569](https://github.com/CodeForked/react-tooltip/issues/569)) ([9acc591](CodeForked/react-tooltip@9acc591)) * string into example ([356821b](CodeForked/react-tooltip@356821b)) * **style injection:** change style injection default root ([a00c5b7](CodeForked/react-tooltip@a00c5b7)), closes [ReactTooltip#665](https://github.com/CodeForked/react-tooltip/issues/665) * **styles:** add styles for shadow dom ([00d1539](CodeForked/react-tooltip@00d1539)), closes [ReactTooltip#597](https://github.com/CodeForked/react-tooltip/issues/597) * **styles:** change style injection way ([ReactTooltip#668](https://github.com/CodeForked/react-tooltip/issues/668)) ([1e10cce](CodeForked/react-tooltip@1e10cce)), closes [ReactTooltip#650](https://github.com/CodeForked/react-tooltip/issues/650) * **tooltip:** sanitize HTML to prevent XSS ([182df11](CodeForked/react-tooltip@182df11)) * **type:** added role property to types ([ReactTooltip#679](https://github.com/CodeForked/react-tooltip/issues/679)) ([9b49395](CodeForked/react-tooltip@9b49395)) * **type:** Fix global method parameter type ([ReactTooltip#585](https://github.com/CodeForked/react-tooltip/issues/585)) ([5e2b8db](CodeForked/react-tooltip@5e2b8db)) * **types:** adding types filename to package ([ReactTooltip#579](https://github.com/CodeForked/react-tooltip/issues/579)) ([05d8de2](CodeForked/react-tooltip@05d8de2)) * **types:** adding typescript d.ts file into dist ([e6300f7](CodeForked/react-tooltip@e6300f7)), closes [ReactTooltip#579](https://github.com/CodeForked/react-tooltip/issues/579) * update uuid module ([d937e59](CodeForked/react-tooltip@d937e59)) * updating styles using transferSas ([f2f7804](CodeForked/react-tooltip@f2f7804)) * using css into example ([7d343af](CodeForked/react-tooltip@7d343af)) * using sass styles with rollup ([bb6fe48](CodeForked/react-tooltip@bb6fe48)) * **uuid:** Use uuid package for unique class names ([ReactTooltip#566](https://github.com/CodeForked/react-tooltip/issues/566)) ([c2c2243](CodeForked/react-tooltip@c2c2243)) * validate lint in pretest ([ad7add0](CodeForked/react-tooltip@ad7add0)) * Merge pull request ReactTooltip#550 from wwayne/refactoring ([4609833](CodeForked/react-tooltip@4609833)), closes [ReactTooltip#550](https://github.com/CodeForked/react-tooltip/issues/550) ### Features * adding typescript type defs ([ReactTooltip#571](https://github.com/CodeForked/react-tooltip/issues/571)) ([cb2b921](CodeForked/react-tooltip@cb2b921)) * **clickable-prop:** add clickable prop ([a75b2be](CodeForked/react-tooltip@a75b2be)), closes [ReactTooltip#417](https://github.com/CodeForked/react-tooltip/issues/417) * **component:** adding "padding" property to customize padding style ([9ae765a](CodeForked/react-tooltip@9ae765a)) * convert to typescript ([dc547c1](CodeForked/react-tooltip@dc547c1)) * getContent(dataTip) ([8bfbfc9](CodeForked/react-tooltip@8bfbfc9)) * **getContent:** update Travis, trigger semantic-release ([9617267](CodeForked/react-tooltip@9617267)) * **overridePosition:** Add "overridePosition" property to handle border cases and customize position ([ccb8b58](CodeForked/react-tooltip@ccb8b58)) * **overridePosition:** Added example ([7df8454](CodeForked/react-tooltip@7df8454)) * Small bug fix to previous commit ([19a8a67](CodeForked/react-tooltip@19a8a67)) * The only way to support styling react-tooltips with a strict csp is to inject the style.css di ([cf105a1](CodeForked/react-tooltip@cf105a1)), closes [ReactTooltip#340](https://github.com/CodeForked/react-tooltip/issues/340) * **tooltip:** Add ability to hover on tooltip. Provide optional delay of updating so if the mouse p ([79342ce](CodeForked/react-tooltip@79342ce)) ### Performance Improvements * **Use sanitize-html-react instead of sanitize-html to avoid useless server side dependencies:** Us ([4b84caa](CodeForked/react-tooltip@4b84caa)), closes [ReactTooltip#424](https://github.com/CodeForked/react-tooltip/issues/424) ### BREAKING CHANGES * Updating readme for demo
|
If anyone has issues with this and cannot enable the import { Tooltip } from "react-tooltip";
import "react-tooltip/dist/react-tooltip.css";
export function Test () {
return (
<Tooltip
// ...
disableStyleInjection="core"
/>
);
} |
|
@fabiolmorato How to do it they have react-tooltip@3.11.1 and cannot update this? As old version does not have css file in it |
|
@z-akashGupta this solution is for >= v5, I strongly recommend you to update it as we did a lot of improvements on v5. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi,
it seems that this library uses inline styles to add its styling. This is a problem for the recommended CSP style rule:
style-src 'self'
I would be happy to include the css in my project, and this problem would be fixed..
Regards,
Markus
The text was updated successfully, but these errors were encountered: