Avoid more CSP violations errors

[Siltaar]

Hi,

I'm using ListJS v2.3.5 from @lovasoa in the Meta-Press.es WebExtension, with strict CSP rules "default-src 'self'".

ListJS generates a lot of CSP violation error messages while I'm just displaying 20 items in one list, and 1 item in another.

 Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “default-src 'self'”

24622 occurrences at list.min.js:1:12740

I also get 490 occurrences from list.min.js:1:12027

Would it be possible to have the styles in a separate file ? (considering it would avoid further CSP violation error messages).

[lovasoa]

Hello! I'm not interested in implementing that myself, but if you want, you can make a pull request and I'll review it.

It shouldn't make distribution harder, so it would be nice if the css was still bundled in the package by default, just with an option to serve it separately.

Maybe create list-nostyles.js, styles.css, and a generated list.js that contains both and applies the stylesheet on load by default.

[Siltaar]

Thanks for your quick reply.
I note this task for further investigation and might handle it later (in months or years).
I wonder if those error messages are implying a performance penalty…

[Siltaar]

I tried a simple approach here : sqlpage#3