You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When CSP headers are set to only allow styles from a specific source (e.g. style-src 'self'), the CSS injected by the polyfill will be blocked by versions of Edge running EdgeHTML, stopping the polyfill from working properly.
The remedy is to add the sha256 hash of the injected CSS to the header sent to the browser or to adapt the polyfill to inject a stylesheet <link> element instead, although I think the former is preferable.
I don't think there's any need for a material change to the code, but perhaps a warning in the readme might help people anticipate this problem. Happy to submit a PR for this if that's helpful
The text was updated successfully, but these errors were encountered:
When CSP headers are set to only allow styles from a specific source (e.g.
style-src 'self'), the CSS injected by the polyfill will be blocked by versions of Edge running EdgeHTML, stopping the polyfill from working properly.The remedy is to add the
sha256hash of the injected CSS to the header sent to the browser or to adapt the polyfill to inject a stylesheet<link>element instead, although I think the former is preferable.See this Mozilla guideline on web security for more info:
https://infosec.mozilla.org/guidelines/web_security#content-security-policy
I don't think there's any need for a material change to the code, but perhaps a warning in the readme might help people anticipate this problem. Happy to submit a PR for this if that's helpful
The text was updated successfully, but these errors were encountered: