Allow attributes to be set on generated style tag for CSP
crisbeto opened this issue · comments
Inline styles aren't compatible with the style-src
directive of CSP. It can be opted into, but that can introduce a security vulnerability since it allows all inline styles. One way to make it work is to set the nonce
attribute on the stylesheet to an expression that is replaced by the nonce by the server when the stylesheet is served, e.g. <style nonce="{% nonce %}">/* styles go here */</style>
. Currently this isn't possible, because Critters doesn't allow for attributes to be added to the style
tag.