codemirror/dev
1
4
Fork 0
Code Issues 19 Pull requests Activity

Use CSSStyleSheet constructor instead of <style> elements #1698

New issue
Open
opened 2026-04-21 15:05:02 +02:00 by ceymard · 3 comments
ceymard commented 2026-04-21 15:05:02 +02:00
Copy link

When creating the codemirror CSS, it injects style elements into the page.

This doesn't sit well with CSP, which doesn't let me use the CSS unless I add things like "unsafe-eval" for css or other directives.

However, CSSStyleSheet adopted through document.body.adoptedStylesheet.add(my_stylesheet) do not suffer the same treatment.

I think it would be a good move to generate CSS with this instead.

After some digging however, I see that style-mod is used, and that style-mod happy does so. I do not understand why CodeMirror's view does not trigger that mechanism however.

When creating the codemirror CSS, it injects style elements into the page. This doesn't sit well with CSP, which doesn't let me use the CSS unless I add things like "unsafe-eval" for css or other directives. However, CSSStyleSheet adopted through `document.body.adoptedStylesheet.add(my_stylesheet)` do not suffer the same treatment. I think it would be a good move to generate CSS with this instead. After some digging however, I see that style-mod is used, and that style-mod happy does so. I do not understand why CodeMirror's view does not trigger that mechanism however.
marijn commented 2026-04-22 11:09:16 +02:00
Owner
Copy link

The reason adoptedStylesheets isn't used in the top document is that I don't want injected styles to override rules with the same precedence specified in <style> tags. See https://github.com/WICG/construct-stylesheets/issues/93 and #360.

The reason `adoptedStylesheets` isn't used in the top document is that I don't want injected styles to override rules with the same precedence specified in `<style>` tags. See https://github.com/WICG/construct-stylesheets/issues/93 and #360.
ceymard commented 2026-04-22 13:11:11 +02:00
Author
Copy link

I understand.

However, it still breaks CSP-powered sites.

Could there be a case to give an option that would change this behaviour in an opt-in manner ?

I understand. However, it still breaks CSP-powered sites. Could there be a case to give an option that would change this behaviour in an opt-in manner ?
marijn commented 2026-04-23 06:51:21 +02:00
Owner
Copy link

Have you tried using EditorView.cspNonce to get around this issue?

Have you tried using [`EditorView.cspNonce`](https://codemirror.net/docs/ref/#view.EditorView^cspNonce) to get around this issue?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
0.16.0
0.15.0
0.14.0
0.13.1
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
0.8.0
0.7.1
0.7.0
0.6.0
0.5.2
0.5.3
0.5.1
0.5.0
0.4.0
0.3.0
0.2.0
0.1.0
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
codemirror/dev#1698
No description provided.