xuguopeng/rrweb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Avoid triggering a CSP (content security policy) error (#846)

Browse Source 
* Fix for #816 - avoid triggering a CSP (content security policy) error with `.setAttribute('style')`

* The bare unattachedDoc that I previously naively created didn't have a doctype and wasn't a HTML document, so the child style element didn't have the `old.style` attribute available

* Add a try/catch to provide some robustness in case `document.implementation.createHTMLDocument` isn't available
This commit is contained in:
Eoghan Murray
2026-04-01 12:00:00 +08:00
committed by GitHub
parent 7456e57916
commit 6f0f7aada0
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
packages/rrweb/src/record/mutation.ts
View File

@@ -472,6 +472,14 @@ export default class MutationBuffer {
if (isIgnored(m.target, this.mirror)) { if (isIgnored(m.target, this.mirror)) {
return; return;
} }
let unattachedDoc;
try {
// avoid upsetting original document from a Content Security point of view
unattachedDoc = document.implementation.createHTMLDocument();
} catch (e) {
// fallback to more direct method
unattachedDoc = this.doc;
}
switch (m.type) { switch (m.type) {
case 'characterData': { case 'characterData': {
const value = m.target.textContent; const value = m.target.textContent;
@@ -554,7 +562,7 @@ export default class MutationBuffer {
} }
if (attributeName === 'style') { if (attributeName === 'style') {
const old = this.doc.createElement('span'); const old = unattachedDoc.createElement('span');
if (m.oldValue) { if (m.oldValue) {
old.setAttribute('style', m.oldValue); old.setAttribute('style', m.oldValue);
} }