Description
.setAttribute('style', …) and .style.cssText = … violate the style-src-attr CSP directive where you are essentially not allowed to have the browser parse CSS after initial page load.
Most use cases we have are simply convenient ways to set it to specific values or to support user extension, both of which can be done with style objects instead, and with extensions and middleware (#8353) that will get even easier.
Impact
Will allow lexical to be used on security-conscious pages.
Description
.setAttribute('style', …)and.style.cssText = …violate the style-src-attr CSP directive where you are essentially not allowed to have the browser parse CSS after initial page load.Most use cases we have are simply convenient ways to set it to specific values or to support user extension, both of which can be done with style objects instead, and with extensions and middleware (#8353) that will get even easier.
Impact
Will allow lexical to be used on security-conscious pages.