Dealing with Content Security Policy (CSP) restrictions. #16
Description
Before we reach v1.0, I'd like to ensure that no design decision is getting in the way of displaying styles when CSP is enabled.
By default, CSP disallows inline styles and embedded style sheets. The only way to load styles is through a <link re=stylesheet> tag that points towards a domain listed as trusted in the CSP HTTP header.
There are workarounds for inline <style> tags (you can either provide a (list of) nonce(s) in the HTTP header, or a list of hashes. That means that you must either know the exact content of your style sheets or the number of style sheets you'll push.
I don't know how CSP affects style sheets and inline styles added through JS, though, but given that Angular has an additional stylesheet to handle ngCloak and ngHide in CSP scenarios, I'm a bit pessimistic.
Maybe j2c.inline should return an object, so that the underlying framework has a chance to set the properties through the DOM handlers... Or maybe that's useless too.
Assuming you can insert <style> tags dynamically, are they also subject to hash- or nonce- based validation?
How can we enable styling in both SPA and isomorphic scenarios with minimum hassle?
TODO: investigate.