Critical CSS

(critical-css-extractor.kigo.studio)

234 points stevenpotts | 2 comments | 06 May 25 03:13 UTC | HN request time: 0s | source

Show context

sublinear ◴[06 May 25 05:58 UTC] No.43902200[source]▶

Non-starter for all but hobby websites since it's incompatible with any content security policy disallowing inline style tags.

Edit regarding replies to this comment: I'm sure many will get a kick out of your workarounds and they're all worth posting in the spirit of HN, however I am talking about CSPs that disallow shenanigans. Carry on though :^)

replies(4): >>43902265 #>>43902288 #>>43902334 #>>43902788 #

1. yakshaving_jgt ◴[06 May 25 06:15 UTC] No.43902265[source]▶

>>43902200 #

That’s a good point, though can’t this instance be whitelisted with a nonce?

replies(1): >>43902327 #

2. sublinear ◴[06 May 25 06:30 UTC] No.43902327[source]▶

>>43902265 (TP) #

You could, but in the real world not every frontend dev has control over the CSP on the server allowing nonces to even be an option.

Even when they do they might be subject to a security audit forbidding it. There's two reasons nonces can suck: first is that nonces may be passed around for 3rd party script usage and that blows a hole in your security policy, and the other is that many implementations to generate nonces are not implemented correctly, so the security team might have less trust in devs.

It really depends on the organization and project. Once you start getting near the security fence you may find it's more trouble than it's worth.

I would try to find less complicated solutions for small details like this. Obvious question might be why your CSS can't be a separate file that is small enough to not cause a performance issue.

↑