Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JSS limitations with Content-Security-Policy? #4647

Closed
smuda opened this issue Jul 8, 2016 · 9 comments
Closed

JSS limitations with Content-Security-Policy? #4647

smuda opened this issue Jul 8, 2016 · 9 comments
Labels
discussion

Comments

@smuda
Copy link

smuda commented Jul 8, 2016

Problem description

When using a Content-Security-Policy of "default-src 'self'" I get errors from Chrome and Firefox that the code violates the CSP:

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-D8Sj8qhd4FvnVwN5w9riiArwsqYOEwHolv228Ic6Vqk='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

It seems to be from EnhancedButton.js function injectStyle() where an inline-CSS are added to document.body:

    // Remove inner padding and border in Firefox 4+.
    var style = document.createElement('style');
    style.innerHTML = '\n      button::-moz-focus-inner,\n      input::-moz-focus-inner {\n        border: 0;\n        padding: 0;\n      }\n    ';

    document.body.appendChild(style);
    styleInjected = true;

Commenting out document.body.appendChild removes the CSP violation message. Would it be possible to add the styling in another way to not violate the CSP?

Steps to reproduce

Add HTTP header "Content-Security-Policy" with value "default-src 'self'" and use a EnhancedButton on the page.

Versions

  • Material-UI: 0.15.1
  • React: 15.2.0
  • Browser: Chrome 51.0.2704.106 (64-bit), Firefox 47.0.1
@mpontikes mpontikes mentioned this issue Aug 5, 2016
Closed
13 tasks
@harriha
Copy link

harriha commented Jan 26, 2017

This is quite unfortunate behavior, as it requires hacking around this if wanting to have strict CSP rules in an app (and no errors in the browser console). The piece of code seems to date back to almost two years, and seems to be the only case where this approach is being used, I'd imagine there is a better way to do such reset within this lib.

@harriha
Copy link

harriha commented Jan 26, 2017

FWIW, this can luckily be "fixed" via adding a specific hash describing this inline style to style-src as suggested by Chrome DevTools, for instance:

style-src 'self' 'sha256-D8Sj8qhd4FvnVwN5w9riiArwsqYOEwHolv228Ic6Vqk='

Works as far as nobody touches that resulting piece of CSS (also whitespace matters there).

@oliviertassinari
Copy link
Member

@harriha Thanks for the tips! We changed our styling approach with the next branch removing the need for that hack. I'm not sure how the CSS-in-JS solution (JSS) performs regarding CSP. Any clue?

@harriha
Copy link

harriha commented May 25, 2017

@oliviertassinari Good to hear, cheers! And indeed, this wasn't the only CSP issue I eventually ran into (first it seemed this was the only one affecting my project), CSS-in-JS in general turned out to be quite problematic in this regard. Thus, even though I managed to find a workaround for this particular issue, had to stick with the unsafe-inline anyway for the time being.

@oliviertassinari
Copy link
Member

oliviertassinari commented May 25, 2017
edited
Loading

I adding @kof to the conversation has he might have some insight on the Content-Security-Policy implication of JSS and couldn't find any reference on the repository.

@kof
Copy link
Contributor

kof commented May 25, 2017

Interesting problem, didn't research it yet. Please create an issue on JSS issue tracker if there is anything we can do over there to prevent it in JSS.

@harriha
Copy link

harriha commented May 25, 2017

Ah, must clarify one thing: strict CSP is not a problem with all CSS-in-JS approaches, only with those which rely on inline styling or adding/removing <style> tags runtime (afaics, I don't claim to be an expert on CSP details). I'm not familiar with JSS (yet) and missed that reference in Olivier's original reply, thus the slight confusion here. Haven't realized this project is moving away from inline styling, which is very nice from CSP point of view as well.

What comes to CSP in the JSS project: being compatible with strict CSP would get thumbs up from me at least. Not sure what would the best way to create an automated test setup for this, but luckily browsers are helpfully recording the violations to the console at least - and can send them to server as well if the report-uri is set. The report-only version might be worth considering in such test setup if taking this route.

@kof
Copy link
Contributor

kof commented May 26, 2017
edited
Loading

All cssinjs either do inline or add/remove style tags. In JSS you could write a plugin which could yeld a warning + remove CSP unconform property so that the entire sheet continues to work.

@oliviertassinari oliviertassinari changed the title EnhancedButton adds inline style that violates strict Content-Security-Policy JSS limitations with Content-Security-Policy? Jul 30, 2017
@oliviertassinari
Copy link
Member

oliviertassinari commented Nov 13, 2017
edited
Loading

The issue was resolved with cssinjs/jss#559. I'm upgrading JSS to v9.3.0. You can use a nonce with this version. window.__webpack_nonce__ = 'what you want'.

@oliviertassinari oliviertassinari mentioned this issue Feb 20, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kof @harriha @smuda @oliviertassinari