(critical-css-extractor.kigo.studio)

234 points stevenpotts | 1 comments | 06 May 25 03:13 UTC | HN request time: 0.28s | source

Show context

sublinear ◴[06 May 25 05:58 UTC] No.43902200[source]▶

Non-starter for all but hobby websites since it's incompatible with any content security policy disallowing inline style tags.

Edit regarding replies to this comment: I'm sure many will get a kick out of your workarounds and they're all worth posting in the spirit of HN, however I am talking about CSPs that disallow shenanigans. Carry on though :^)

replies(4): >>43902265 #>>43902288 #>>43902334 #>>43902788 #

pjc50 ◴[06 May 25 08:17 UTC] No.43902788[source]▶

>>43902200 #

> content security policy disallowing inline style tags

Wait, why on earth is this a thing?

replies(2): >>43903348 #>>43908360 #

hombre_fatal ◴[06 May 25 10:03 UTC] No.43903348[source]▶

>>43902788 #

I guess the main case is if user-generated content has an escape bug that lets the user inject a <style> tag?

replies(1): >>43904309 #

1. throwaway290 ◴[06 May 25 12:27 UTC] No.43904309[source]▶

>>43903348 #

If only this was about UGC. Most of it can have nothing to do with actual users. Think stuff like ads or other injects like a dependency of dependency of dependency of your frontend app compromised by a north korean hacker.

↑

Critical CSS