Karl Erik Hofseth
Karl Erik Hofseth
FYI it looks like [firebase/firebase-admin-node](https://github.com/firebase/firebase-admin-node) depends on `dicer` directly, but only for parsing responses from the Firebase API. Should be no real danger there, just annoying to have the security...
I think I actually have a lead on this! I've traced the error, and it turns out to be a single instance of appending an empty stylesheet to the ``...
Something like this: ```typescript const stylesheet = doc.__svelte_stylesheet || (doc.__svelte_stylesheet = (document.styleSheets.filter(s => s.title === 'svelte-stylesheet')[0] || append_empty_stylesheet(node)) as CSSStyleSheet); ``` is a little better. In theory we could use...
A workaround for this issue: adding `'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='` (the hash value for an empty string) to your CSP's `style-src` allows Svelte to insert the empty document which it can then modify...
This is great work! In general the solution being "the framework/app needs to provide an empty stylesheet" can be prone to errors (and is a bit of a hidden dependency),...
I would be really curious if there are actually any cases where that cast to CSSStyleSheet would be problematic. I mean, I guess there is, like, DSSSL and XSL? The...
The casting happens purely at compile time, `instanceof` actually happens at runtime. I think the native JS might just not have the `CSSStyleSheet` name in scope? Or at least in...
Just adding a note here: > Re inline styles added by Svelte itself — I'm hoping that we can transition (geddit?) to use the Web Animations API before too long,...
Just to clarify: I don't intend to pass along the url provided in the request, as that would be an obvious security hole (allowing anyone to send users emails linking...
@schuetzm nope, that does not appear to work. I suspect the Safari bug is later in the process maybe? Regardless, it chokes just as happily when explicitly setting the `textContent`...