Skip to content
This repository has been archived by the owner on Aug 5, 2024. It is now read-only.

Provide an alternative to style injection for CSP purposes #88

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

adcoelho
Copy link

@adcoelho adcoelho commented Apr 3, 2020

I have run into a problem when trying to introduce Content Security Policy (CSP) in my project where, by default, the Diff Match Patch javascript library injects CSS directly into the DOM.

For webpages secured using CSP, this requires to allow style-src 'unsafe-inline' which kind of defeats the purpose of having such policy.

With this PR we will provide an alternative for stricter CSP environments.

The style injection can now be turned off with:

// Disable automatic style injection
diff_match_patch.Style_Injection = false;

and the following CSS file needs to be manually added to the webpage:

<link rel="stylesheet" type="text/css" href="path/to/diff_match_patch.css">

If merged, I can then update the Javascript portion of the wiki with relevant instructions.

@googlebot
Copy link

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.


What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@adcoelho
Copy link
Author

@googlebot I signed it!

@googlebot
Copy link

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants