fix: remove inline style applied to iframe due to CSP #2343

longyulongyu · 2023-10-02T15:04:26Z

Summary

This ticket solves the problem when the nonce attribute is set on the <style> tag, some of the inline styles set to the iframe are blocked.

The changes include subtracting those styles in a separate scss file.

Tested scenarios

How to reproduce the issue:

Checkout the main branch, modify the style-loader config in the packages/playground/config/webpack.dev.js. This step is to allow the webpack dev server to add nonce value to style sheets (playground + adyen-web styles)

                            {
                                loader: 'style-loader',
                                options: {
                                    attributes: {
                                        nonce: 'dummy-nonce'
                                    }
                                }
                            },

Add the following to the <head> section in the packages/playground/src/pages/Dropin/Dropin.html

<meta
            http-equiv="Content-Security-Policy"
            content="
            script-src 'unsafe-inline' https://*.adyen.com https://*.payments-amazon.com https://*.paypal.com https://*.google.com https://*.mastercard.com https://*.visa.com 'self';
            style-src https://*.adyen.com https://*.media-amazon.com https://*.paypal.com https://*.google.com 'self' 'nonce-dummy-nonce';
            img-src https://*.adyen.com https://*.media-amazon.com https://*.paypal.com https://*.gstatic.com 'self';
        "
        />

Check the developer tool, we should see Refused to apply inline style because it violates the following Content Security Policy directive for google pay pay.js and createIframe.ts
Switch to the branch fix-csp-issue-due-to-inline-style, restart the playground, wait for development build.. We shouldn't see browser throwing issues for createIframe.ts file. (The pay.js from Google pay remains.)
Remove the whole <meta> tag, the dropin should render and function correctly.

Fixed issue: #2336

Note:
This ticket doesn't solve Google pay when enabling CSP nonce, merchants can follow the Google's CSP advice.

changeset-bot · 2023-10-02T15:04:29Z

🦋 Changeset detected

Latest commit: 68bb6d2

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@adyen/adyen-web	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

github-actions · 2023-10-02T15:10:59Z

Size Change: -241 B (0%)

Total Size: 1.07 MB

Filename	Size	Change
`packages/lib/dist/adyen.js`	283 kB	-63 B (0%)
`packages/lib/dist/cjs/index.js`	245 kB	-61 B (0%)
`packages/lib/dist/es.modern/index.js`	118 kB	-53 B (0%)
`packages/lib/dist/es/index.js`	138 kB	-64 B (0%)

ℹ️ View Unchanged

Filename	Size
`packages/lib/dist/es.modern/ar.js`	6.41 kB
`packages/lib/dist/es.modern/cs-CZ.js`	5.79 kB
`packages/lib/dist/es.modern/da-DK.js`	5.27 kB
`packages/lib/dist/es.modern/de-DE.js`	5.66 kB
`packages/lib/dist/es.modern/el-GR.js`	7.29 kB
`packages/lib/dist/es.modern/es-ES.js`	5.36 kB
`packages/lib/dist/es.modern/fi-FI.js`	5.35 kB
`packages/lib/dist/es.modern/fr-FR.js`	5.47 kB
`packages/lib/dist/es.modern/hr-HR.js`	5.49 kB
`packages/lib/dist/es.modern/hu-HU.js`	5.78 kB
`packages/lib/dist/es.modern/it-IT.js`	5.34 kB
`packages/lib/dist/es.modern/ja-JP.js`	6.18 kB
`packages/lib/dist/es.modern/ko-KR.js`	5.78 kB
`packages/lib/dist/es.modern/nl-NL.js`	5.37 kB
`packages/lib/dist/es.modern/no-NO.js`	5.25 kB
`packages/lib/dist/es.modern/pl-PL.js`	5.76 kB
`packages/lib/dist/es.modern/pt-BR.js`	5.32 kB
`packages/lib/dist/es.modern/pt-PT.js`	5.45 kB
`packages/lib/dist/es.modern/ro-RO.js`	5.58 kB
`packages/lib/dist/es.modern/ru-RU.js`	6.76 kB
`packages/lib/dist/es.modern/sk-SK.js`	5.85 kB
`packages/lib/dist/es.modern/sl-SI.js`	5.43 kB
`packages/lib/dist/es.modern/sv-SE.js`	5.23 kB
`packages/lib/dist/es.modern/zh-CN.js`	5.62 kB
`packages/lib/dist/es.modern/zh-TW.js`	5.74 kB
`packages/lib/dist/es/ar.js`	6.41 kB
`packages/lib/dist/es/cs-CZ.js`	5.79 kB
`packages/lib/dist/es/da-DK.js`	5.27 kB
`packages/lib/dist/es/de-DE.js`	5.66 kB
`packages/lib/dist/es/el-GR.js`	7.29 kB
`packages/lib/dist/es/es-ES.js`	5.36 kB
`packages/lib/dist/es/fi-FI.js`	5.35 kB
`packages/lib/dist/es/fr-FR.js`	5.47 kB
`packages/lib/dist/es/hr-HR.js`	5.49 kB
`packages/lib/dist/es/hu-HU.js`	5.78 kB
`packages/lib/dist/es/it-IT.js`	5.34 kB
`packages/lib/dist/es/ja-JP.js`	6.18 kB
`packages/lib/dist/es/ko-KR.js`	5.78 kB
`packages/lib/dist/es/nl-NL.js`	5.37 kB
`packages/lib/dist/es/no-NO.js`	5.25 kB
`packages/lib/dist/es/pl-PL.js`	5.76 kB
`packages/lib/dist/es/pt-BR.js`	5.32 kB
`packages/lib/dist/es/pt-PT.js`	5.45 kB
`packages/lib/dist/es/ro-RO.js`	5.58 kB
`packages/lib/dist/es/ru-RU.js`	6.76 kB
`packages/lib/dist/es/sk-SK.js`	5.85 kB
`packages/lib/dist/es/sl-SI.js`	5.43 kB
`packages/lib/dist/es/sv-SE.js`	5.23 kB
`packages/lib/dist/es/zh-CN.js`	5.62 kB
`packages/lib/dist/es/zh-TW.js`	5.74 kB