0

Is it possible to allow inline style only in a specific iframe in Electron?

My problem: I'm trying to load the Whatfix script in the Electron app. The Whatfix script loads everything in iframe and it's using inline styles, which renders the widget without any styles due to Electron CSP. I don't want to use unsafe-inline CSP on the whole application, I need it just on this iframe which comes from Whatfix.

Error which I get: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'"

My CSP directives: default-src 'self';

granty
  • 7,234
  • 1
  • 14
  • 21
Alen
  • 1,750
  • 7
  • 31
  • 62

1 Answers1

1

An iframe with network scheme like <iframe src='http:/https: ...'> creates an isolated browsing context.
This means the parent document CSP is not acts inside iframe, and iframe can has its own independent CSP. If you have control over the iframe, you can publish any specific CSP header or meta tag inside the iframe. And without CSP any inline styles will be allowed inside such iframe.

Note that iframes with srcdoc= and iframes with data:Url / blob:Url / javascript:Url like <iframe src='data:text/html;charset=utf-8,...'> does inherit CSP of parent document, because such iframes do not create totally isolated browsing context.

granty
  • 7,234
  • 1
  • 14
  • 21