Our initial Content-Security-Policy header in bug 1270157 had to use the 'unsafe-inline' `style-src` CSP directive, since: * the react-select dependency uses the `emotion` package (CSS in JS) which uses inline styles. Bug 1507903 is filed for removing Treeherder's dependency on react-select. * there are a few places left in our own codebase that use inline styles In the meantime it is important to ensure when reviewing frontend changes, that no more inline styles are added in our JSX.
Bug 1529862 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Our initial Content-Security-Policy header in bug 1270157 had to use the 'unsafe-inline' `style-src` CSP directive, since: * the react-select dependency uses the `emotion` package (CSS in JS) which uses inline styles. Bug 1507903 is filed for removing Treeherder's dependency on react-select. * there are a few places left in our own codebase that use inline styles * our usage of Font Awesome needs to be tweaked to manually import the CSS and disable automatic style injection - see: https://fontawesome.com/how-to-use/on-the-web/other-topics/security#policy In the meantime it is important to ensure when reviewing frontend changes, that no more inline styles are added in our JSX.