Added CSP nonce #1037
Added CSP nonce #1037
Conversation
|
For now let's see if this resolves the issue. After that we will need to do some productisation:
|
|
There are a number of CSS in JS solutions that add css to a page without requiring this sort of thing. I think it would be worth looking into how they get around this issue |
|
Hey @alexreardon |
|
Let's pick this up: #1050 (comment) |
|
Hey guys, distant observer here but I just wanted to see where things were with this. Is this PR the only way forward for nonce support or are there other alternatives now? |
|
Right back on it. A cypress test will be up next |
|
Heck yes!
…On Tue, Jun 11, 2019 at 5:11 AM Zweder ***@***.***> wrote:
Right back on it. A cypress test will be up next
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1037?email_source=notifications&email_token=AAQU33K2WPUZ6CPA6A724STPZ2RMZA5CNFSM4GMX2LO2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXK46OI#issuecomment-500551481>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAQU33PTE7AWPY2WWFTOV6LPZ2RMZANCNFSM4GMX2LOQ>
.
|
browser-test-harness.js
Outdated
| process.on('exit', () => { | ||
| storybook.kill(); | ||
| standalone.kill(); | ||
| }); | ||
|
|
||
| waitPort({ |
There was a problem hiding this comment.
can you explain this change?
There was a problem hiding this comment.
standalone is a mini webpack server and client instance, the nonce has to be generated at the server
package.json
Outdated
| @@ -130,6 +130,7 @@ | |||
| "stylelint-config-styled-components": "^0.1.1", | |||
| "stylelint-processor-styled-components": "^1.8.0", | |||
| "testcafe-reporter-xunit": "^2.1.0", | |||
| "uuid": "^3.3.2", | |||
There was a problem hiding this comment.
Can we just use a local sequence generator to avoid another dependency?
Eg:
let count = 0;
function getId(): string {
return `id-${count++}`;
}There was a problem hiding this comment.
I should be a cryptographically save random number but to prove a test i will change it
There was a problem hiding this comment.
This looks better i think
let count = 0; function getNonce(): string { return ThisShouldBeACryptographicallySecurePseudoRandomNumber-${count++}; }
|
Thanks for your hard work on this one. I think it is close to being good to go. I just had a few minor thoughts |
|
It is fantastic that we are actually testing this in a browser. Well done |
| test: /jsx?$/, | ||
| // type: "javascript/auto", | ||
| exclude: [/node_modules/], | ||
| use: [ |
There was a problem hiding this comment.
can we defer to our standard babel rc file for this?
| const path = require('path'); | ||
| const config = require('./webpack.config'); | ||
|
|
||
| const fs = new MemoryFS(); |
There was a problem hiding this comment.
This is the setup for the standalone webpack server and client, which run from memory saves a lot of pollution of output files
| const compiler = webpack(config); | ||
|
|
||
| // $ExpectError | ||
| compiler.outputFileSystem = fs; |
There was a problem hiding this comment.
can you explain this one to me? I am not a webpack ninja
There was a problem hiding this comment.
I've never managed to get Flow happy about specifiing a outputFileSystem, but i dont like to cleanup everything webpack outputs
|
Just a general question. Would it be preferable to either rely on a meta tag instead of a passed prop or allow both? I ask this since there are a few other packages that pull in react-beautiful-dnd that may or may not allow the passing of a nonce from the consumer to the react-beautiful-dnd component. A decent example of this is JSS which uses a meta tag named "csp-nonce". Here is how they are implementing their use of that meta tag. Their implementation allows downstream consumers to pass a nonce to their components effectively without having to rely on the middleman to pass the nonce through. |
|
That seems really smart @NFabrizio. What do you think @Zweder ? |
|
You are right @NFabrizio, actually thats the whole idea behind this PR but in a different way. Accessing the dom is not efficient thats why you schould provide the nonce with the help of React.Context which in turn gets the nonce from a meta tag or something else. That means that you only access the dom once in the lifetime of the app, and you can reuse that context provider for every third party component that needs a nonce. In src/test/standalone/server.js i do add a meta tag csp-nonce and in src/test/standalone/client.js it picks up the meta tag and provides the nonce to the DragDropContext in src/test/standalone/app.jsx without React.Context for simplicity |
|
@alexreardon It would be nice if you could find some time to review my commits |
|
This looks good to me. Can we please target the |
|
@alexreardon On it, i've got to fix the tests, the rest was a easy merge |
|
@alexreardon this PR is now in sync with the dev branch. Some tests are failing but are not related to this PR. |
|
I'll try to take a look at this soon 👍 |
|
This is looking really good! One more thing: can you create a |
|
If you do not have time, I can try to put something together |
|
I can make time upcoming weekend, it's not something I can do in 5min
Op do 26 sep. 2019 03:16 schreef Alex Reardon <[email protected]>:
… If you do not have time, I can try to put something together
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1037?email_source=notifications&email_token=ADB7VR5Z5C4J7TP5IEP4S3TQLQEN5A5CNFSM4GMX2LO2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7T5HHY#issuecomment-535286687>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADB7VR3KSEWCYGGWJLNZTH3QLQEN5ANCNFSM4GMX2LOQ>
.
|
|
I've added content-security-policy it's insired on the JSS CSP docs but it shows how to use it and explains what it's for. Have a look |
|
Fantastic work on this! |
|
👏 This will be going out in |
I added a nonce property to DragDropContext which is added to the injected style tags to make this project work with strict ContentSecurityProtection settings