SPFx and CSP enforcement - Testing Inline Script #10742
Description
What type of issue is this?
Question
What SharePoint development model, framework, SDK or API is this about?
💥 SharePoint Framework
Target SharePoint environment
SharePoint Online
What browser(s) / client(s) have you tested
- 💥 Internet Explorer
- 💥 Microsoft Edge
- 💥 Google Chrome
- 💥 FireFox
- 💥 Safari
- mobile (iOS/iPadOS)
- mobile (Android)
- not applicable
- other (enter in the "Additional environment details" area below)
Additional environment details
- browser version: Edge 144.0.3719.115
- SPFx version: 1.18.2 & above
- Node.js version 18 & above
Issue description
Regarding CSP enforcement announcement and related documentation here & here, I wanted to see the impact on existing SPFx solutions which involve inline scripts, with the query parameter "csp=enforce".
But It seems like it doesn't raise any error and the inline script still works. I tried with a site on which the following code is called through a SPFx solution:
const parentStyles = window.document.querySelectorAll('head>style');
const iframe: HTMLIFrameElement = window.document.querySelector('iframe#iframe_edit_rte');
let rteDiv: HTMLElement = iframe.contentDocument.documentElement.querySelector(`div[id^="${this.props.fieldName}"][id$="rte"]`);
rteDiv.classList.add("ql-editor");
const iframeHead = iframe.contentDocument.documentElement.querySelector("head");
parentStyles.forEach((styleElement: HTMLElement) => {
const style = document.createElement('style');
style.textContent = styleElement.innerHTML;
iframeHead.appendChild(style);
});
iframe.contentDocument.documentElement.querySelector(`#${this.props.fieldName}`).parentElement.hidden = true;Is there a way to test behavior of SPFx solution that contains inline script without enabling CSP enforcement on the tenant?