Avoid triggering a CSP (content security policy) error (rrweb-io#846)

* Fix for rrweb-io#816 - avoid triggering a CSP (content security policy) error with `.setAttribute('style')` * The bare unattachedDoc that I previously naively created didn't have a doctype and wasn't a HTML document, so the child style element didn't have the `old.style` attribute available * Add a try/catch to provide some robustness in case `document.implementation.createHTMLDocument` isn't available
eoghanmurray · Jul 27, 2023 · b5a3a8e · b5a3a8e
1 parent fb5ed64
commit b5a3a8e
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/packages/rrweb/src/record/mutation.ts b/packages/rrweb/src/record/mutation.ts
@@ -472,6 +472,14 @@ export default class MutationBuffer {
     if (isIgnored(m.target, this.mirror)) {
       return;
     }
+    let unattachedDoc;
+    try {
+      // avoid upsetting original document from a Content Security point of view
+      unattachedDoc = document.implementation.createHTMLDocument();
+    } catch (e) {
+      // fallback to more direct method
+      unattachedDoc = this.doc;
+    }
     switch (m.type) {
       case 'characterData': {
         const value = m.target.textContent;
@@ -554,7 +562,7 @@ export default class MutationBuffer {
         }
 
         if (attributeName === 'style') {
-          const old = this.doc.createElement('span');
+          const old = unattachedDoc.createElement('span');
           if (m.oldValue) {
             old.setAttribute('style', m.oldValue);
           }