I am using fontawesome in in my project and I am trying to add them to the project via webpack.
I have addad import '@fortawesome/fontawesome-free/js/fontawesome.js' into my app.js and have added @import '@fortawesome/fontawesome-free/scss/fontawesome'; to my main.css file.
However, when I am loading my app in the borwser, I am getting the following CSP violation error.
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-ixVUGs3ai0rMA0pgIVBN0KVlYbQip7/5SGmnUwJPNqE='), or a nonce ('nonce-...') is required to enable inline execution.
The error points to the following section of code that is coming from fontawesome.js
function insertCss(css) {
if (!css || !IS_DOM) {
return;
}
var style = DOCUMENT.createElement('style');
style.setAttribute('type', 'text/css');
style.innerHTML = css;
var headChildren = DOCUMENT.head.childNodes;
var beforeChild = null;
for (var i = headChildren.length - 1; i > -1; i--) {
var child = headChildren[i];
var tagName = (child.tagName || '').toUpperCase();
if (['STYLE', 'LINK'].indexOf(tagName) > -1) {
beforeChild = child;
}
}
DOCUMENT.head.insertBefore(style, beforeChild);
return css;
}
Any idea on how to get this solved without adding unsafe-inline or hardcoded hash in the CSP?
Following is my webpack.config
const TerserPlugin = require("terser-webpack-plugin");
const MiniCssExtractPlugin = require('mini-css-extract-plugin');
const CssMinimizerPlugin = require('css-minimizer-webpack-plugin');
module.exports = {
context: __dirname + '/src',
resolve: {
extensions: ['.js']
},
entry: {
app: './js/app.js',
'app.min': './js/app.js'
},
output: {
path: __dirname + '/../dist/bank',
filename: './js/[name].js',
publicPath: ''
},
optimization: {
minimize: true,
minimizer: [
new TerserPlugin({
include: /\.min\.js$/
}),
new CssMinimizerPlugin({
include: /\.min\.css$/
})
],
},
plugins: [
new MiniCssExtractPlugin({
filename: './css/[name].css',
}),
],
module: {
rules: [
{
test: /\.css$/i, // Process css files
use: [MiniCssExtractPlugin.loader, 'css-loader', 'postcss-loader', 'sass-loader']
},
{
test: /\.(png|jp(e*)g|eot|svg|ttf|woff|woff2)$/, // Process image files
use: [{
loader: 'url-loader',
options: {
esModule: false
}
}]
},
{
test: /\.(html)$/, // Process html files
use: [{
loader: 'html-loader',
options: {
minimize: true
}
}]
}
]
},
};
This issue was solved by removing the fontawesome js imports from the app.js. Apparently, only css files need to be imported and js files (i.e. fontawesome.js, regular.js and solid.js) are not required for the fonts to work.
By removing the js files, neither unsafe-inline, sha-XXX or nonce- is needed in the CSP.