-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP - style-src 'unsafe-inline' should not be required #1050
Comments
Fascinating! |
Would using Alternatively using the Stylesheet api get around this issue? |
That's a negative.
Also a negative, as quoted here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src:
Basically, the styles must come from a trusted source, and sources can have different levels of trust depending on the CSP rules defined for the webpage. To work with almost any CSP configuration, you have the following options (see here for a complete list):
|
@acheronfail can you confirm if #1037 removes the warnings? |
Yep! Can confirm that adding a nonce like #1037 does indeed remove the warnings. Just to confirm though, is there anyway for these styles to contain user/dynamically generated content (that could allow someone to inject unwanted styles, etc)? 🤔 |
No. The library generates the styles |
Hi, another solution would be to provide a separate .css file for the preset styles. |
Interesting. We apply different styles at different points in the lifecycle and change their definition. You can read more about it here: https://medium.com/@alexandereardon/dragging-react-performance-forward-688b30d40a33 |
Dynamically updating styles is a solved problem with |
Right now we cannot use
As we change the rules on the fly to avoid a re-render to update classes (for performance reasons) |
We should also add a test to ensure that there are no CSP errors going forward. Perhaps a puppeteer test would be the most appropriate? |
I think I would be happy to add the Proposed todo:
@Zweder are you okay to pick this up? |
Given that we cannot leverage a class swapping mechanism for performance reasons - lets use this |
I have added unit tests to my PR But, "Write a cypress test with Content-Security-Policy: style-src 'unsafe-inline'" this doesn't make sense, because cypress is the client not the server which should provide the nonce and the csp-header or meta tag and the cypress tests are running against storybook, that makes it very difficult to set headers. I'd like to make some real-world tests, but i don't like to hack into storybook, they do a fine job! @alexreardon any thougts? |
I just want to ensure that we are actually complying with the CSP. I thought a browser test would enable us to be 100% sure. As you mentioned - using storybook complicates it as we don't have control of the server The effort to spin up a new micro server and stand alone example might not be worth it |
Having a look at your browser-test-harness.js spinning up a micro server will not be that difficult and i think i can resure a storybook test without breaking changes. To keep your 'Unopinionated styling' (which i like) possible in a locked down CSP browser, i'm willing to put in the effort to get the tests in place. Btw emotion and jss are doing the same thing to get this working. I's my spare time so i'll need a couple of days. |
I've added a stand alone example and some cypress tests, but there is one thing to mention, cypress strips off the csp header so it doesn't work, but i've added a meta tag in the head with the same policy which also enforces the content-security-policy and that does make it work. Is it time to profit or am i missing something, comments are welcome |
Hi, just asking status of supporting CSP with 'unsafe-inline' rule. There has been a PR open for 8 months that fixes it, but apparently it wont be merged? Can't use this awesome library because passing a nonce is not supported. |
Sorry, alle
Pushed an update, I want it as well
Kind regards,
Zweder
Op di 3 sep. 2019 09:54 schreef NikoHelle <[email protected]>:
… Hi, just asking status of supporting CSP with 'unsafe-inline' rule. There
has been a PR <#1037>
open for 8 months that fixes it, but apparently it wont be merged?
Can't use this awesome library because passing a nonce is not supported.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1050?email_source=notifications&email_token=ADB7VRZZJKUI6IXEK465PUDQHYJZXA5CNFSM4GPQVIPKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5XLASI#issuecomment-527347785>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADB7VR3CYWJ33KBECRINSFLQHYJZXANCNFSM4GPQVIPA>
.
|
Expected behavior
react-beautiful-dnd
should not depend on the the Content-Security-Policy: style-src 'unsafe-inline' directive.Actual behavior
react-beautiful-dnd
adds errors to the console as the CSS is refused by the CSP rules.Error messages in console:
The errors originate from here in
react-beautiful-dnd
.Possible Solutions:
See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script.
Steps to reproduce
react-beautiful-dnd
in a page(Alternatively, here is a dead-simple create-react-app repository that you can clone and run to see the errors: https://github.com/acheronfail/react-beautiful-dnd-csp).
What version of
react-beautiful-dnd
are you running?10.0.3
(Latest at the time of this issue).The text was updated successfully, but these errors were encountered: