# 2 years ago | |
---|---|
I tested the CSP with whitelisting 'self' and *.wordart.com in the meta-tag of the html page, but the cloud was not shown correctly (e.g. too small and wrong hover effects). (There were no problems with other elements of other providers like frames, so the CSP itself should be fine.) I think this is because of inline styles within the wordart-scripts; see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src and scroll down to "examples", here they say: "As well [blocked are] styles that are applied in JavaScript by setting the style attribute directly, or by setting cssText. […] However, styles properties that are set directly on the element's style property will not be blocked, allowing users to safely manipulate styles via JavaScript". So maybe changing the code by separating script and style can help. (As an alternative way they also talk about nonces and hashes, but I'm not an CSP- (or coding) expert, so I don't know if this would fit here.) |
# 2 years ago | |
---|---|
Hello! Is it possible to embed a WordArt-cloud on a website with an active Content Security Policy, which becomes more and more important nowadays? WordArt uses inline style elements, so there are some troubles, I think. Allowing 'self' and "*.wordart.com" also doesn't work well. |