diff-match-patch icon indicating copy to clipboard operation
diff-match-patch copied to clipboard
verified publisher icon google

Provide an alternative to style injection for CSP purposes

Open adcoelho opened this issue 5 years ago • 3 comments

I have run into a problem when trying to introduce Content Security Policy (CSP) in my project where, by default, the Diff Match Patch javascript library injects CSS directly into the DOM.

For webpages secured using CSP, this requires to allow style-src 'unsafe-inline' which kind of defeats the purpose of having such policy.

With this PR we will provide an alternative for stricter CSP environments.

The style injection can now be turned off with:

// Disable automatic style injection
diff_match_patch.Style_Injection = false;

and the following CSS file needs to be manually added to the webpage:

<link rel="stylesheet" type="text/css" href="path/to/diff_match_patch.css">

If merged, I can then update the Javascript portion of the wiki with relevant instructions.

adcoelho avatar Apr 03 '20 13:04 adcoelho

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

:memo: Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

googlebot avatar Apr 03 '20 13:04 googlebot

@googlebot I signed it!

adcoelho avatar Apr 10 '20 09:04 adcoelho

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

googlebot avatar Apr 10 '20 09:04 googlebot