Empty <style> block appended to <head> when transition is used.

[whataboutpereira]

I just started exploring Svelte transitions I noticed sudden CSP failures in Firefox and Chrome.

I've tracked it down to Svelte appending an empty <style>element to when transitions are used.

Transition is used in a component like this:

<script>
    import { fade } from "svelte/transition";
</script>

<div transition:fade>
    <!-- content -->
</div>

Results in the following:

index.mjs:481 [Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'. Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

I managed to suppress the warning by adding the suggested hash for the empty <style> tag to my CSP policy, but creating an empty <style> seems redundant.

[Conduitry]

Is this an issue about empty elements blocks being added, or about style blocks being added dynamically at all? Svelte needs to be able add some styles dynamically to handle transitions at all. If this is a problem for your case, you can't use Svelte transitions that are turned into CSS transitions, and will probably need to use js transitions, which are generally less preferable because they run in the same thread as the rest of your js.

[whataboutpereira]

So far, in my case, it's the empty style block. But I suspect a block with content is indeed more hard to make pass CSP unless a nonce can be used somehow (like the main Sapper script tag does).

[whataboutpereira]

I'm wondering if it would be possible for Sapper/Svelte to add an empty style block with a nonce upon page generation and then using that to load the styles?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.