Skip to content

Polyfill fails in Edge with strict Content Security Policy headers #68

Description

@mikejamesthompson

When CSP headers are set to only allow styles from a specific source (e.g. style-src 'self'), the CSS injected by the polyfill will be blocked by versions of Edge running EdgeHTML, stopping the polyfill from working properly.

The remedy is to add the sha256 hash of the injected CSS to the header sent to the browser or to adapt the polyfill to inject a stylesheet <link> element instead, although I think the former is preferable.

See this Mozilla guideline on web security for more info:
https://infosec.mozilla.org/guidelines/web_security#content-security-policy

I don't think there's any need for a material change to the code, but perhaps a warning in the readme might help people anticipate this problem. Happy to submit a PR for this if that's helpful

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions