Iconify script causes CSP violations about iconify HOT 7 CLOSED

It isn't possible because it would break backwards compatibility. Some users might rely on that stylesheet being injected.

If you really want to get rid of that message, the only option is to build custom version of Iconify. Clone this repository, open src/browser/init.js, remove this code:

    /**
     * Add stylesheet
     *
     * @param timed
     * @returns {boolean}
     */
    local.addStylesheet = function(timed) {
        var el;

        if (!document.head || !document.body) {
            if (local.domready) {
                // head or body is missing, but document is ready? weird
                return true;
            }
            if (!timed) {
                local.initTimeout(local.addStylesheet.bind(null, true));
            }
            return false;
        }

        // Add Iconify stylesheet
        try {
            el = document.createElement('style');
            el.type = 'text/css';
            el.innerHTML = 'span.iconify, i.iconify, iconify-icon { display: inline-block; width: 1em; }';
            if (document.head.firstChild !== null) {
                document.head.insertBefore(el, document.head.firstChild);
            } else {
                document.head.appendChild(el);
            }
        } catch (err) {}

        return true;
    };
    local.initQueue.push(local.addStylesheet.bind(null, false));

then rebuild package. To rebuild it run these commands:

npm install
npm run build

Then you can use iconify.min.js from directory dist

from iconify.

This is interesting. I'll need to investigate this new Chrome thing.

Currently inline style is used for 2 purposes:

• To add transform: rotate(360deg) that seems redundant, but it is actually needed to fix rendering bug in Firefox.
• To add vertical-align: -0.125em that makes icon behave like icon font.

Rendering bug that required dummy transform is no longer needed. Just few years ago it existed in almost all browsers, but all vendors have fixed it. Firefox was last one to fix it just few months ago.

Vertical alignment is needed. However it can be moved from inline style to setting it in DOM: node.style.verticalAlign = '-0.125em';. I don't know if that would fix error, will need to investigate it.

from iconify.

To add transform: rotate(360deg) that seems redundant, but it is actually needed to fix rendering bug in Firefox.

😆 This reminds me of a famous Jason Kidd quote.

I don't know if that would fix error, will need to investigate it

I believe that would fix the error as DOM manipulation doesn't violate CSP. Just setting inline styles does.

from iconify.

Managed to get that error as well, played a bit with it and found a fix. You are right, DOM manipulation doesn't violate CSP, so workaround works.

I'll apply fix, will do some more tests to make sure it all works and will publish update tomorrow.

For allowed script sources you also need to add https://api.iconify.design/. Script uses JSONP to retrieve data for icons instead of fetching JSON because it is easier to support Internet Explorer that way, so it needs to be added to script-src policy.

If you'll be updating to Iconify 2 when it will be available (I think it will be ready sometime in April, though could be delayed a bit because tons of documentation needs to be written), things will get a bit more complicated. You'll need to add 2 more domains to script-src: https://api.simplesvg.com/ and https://api.unisvg.com/. Why are there 3 domains instead of one? Sometimes visitors experience routing issues or DNS issues or API could be down for few minutes. Internet is not stable and things can happen. To solve that issue, new version has redundancy built in to connect to backup API if default API can't be reached within a second.

from iconify.

Sounds good! 👍

from iconify.

Published version 1.0.5 with fix.

You will still see one CSP notice in console. Script will attempt to inject the following stylesheet:

span.iconify, i.iconify, iconify-icon { display: inline-block; width: 1em; }

It will fail and display notice in console, but it will not affect any functionality and will not stop execution.

from iconify.

@cyberalien Hi, in version 1.0.5, I still get one style-src error about unsafe-inline. Is it possible not to set or inject any style to avoid this error?

EDIT: The error comes from this line in iconify.js

Thanks

from iconify.