Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Svelte WebComponents compatible with trusted-types CSP #8134

Closed
fallaciousreasoning opened this issue Dec 22, 2022 · 1 comment · Fixed by #8135
Closed

Make Svelte WebComponents compatible with trusted-types CSP #8134

fallaciousreasoning opened this issue Dec 22, 2022 · 1 comment · Fixed by #8135

Comments

@fallaciousreasoning
Copy link
Contributor

fallaciousreasoning commented Dec 22, 2022
edited
Loading

Describe the problem

Currently, when compiling Svelte components to Web Components, the style is set via innerHTML:

constructor(options) {
	super();

	this.shadowRoot.innerHTML = `<style>....</style>`
	......
}

This is fine, as the styles are generated at compile time and don't contain any untrusted data. However, if an application has a TrustedTypes CSP set up, this line will throw an error. The only way for them to fix it is to add a default policy, which isn't ideal as it reduces the protection from the policy.

Describe the proposed solution

Use textContent to set the stylesheet content, rather than innerHTML.

// Instead of
this.shadowRoot.innerHTML = `<style>${css}</style>`

// we might be able to do:
const style = document.createElement('style');
style.textContent = css;
this.shadowRoot.appendChild(style);

which might be preferable all round (not sure if there are any performance implications). I have a PR open with this fix #8135. I've tested using the our CSP in the version of Svelte from my fork and it fixes it nicely!

Alternatives considered

We could create a svelte-web-component-style-literal no-op policy which is used instead. That way, consumers can allow the svelte-web-component-style-literal policy if they use Svelte web-components and everything will just work. I have a branch with a working proof of concept https://github.com/fallaciousreasoning/svelte/tree/trustedTypes but I think it's a bit less elegant.

const policy = window.trustedTypes.createPolicy('svelte-web-component-style-literal', { createHTML: html => html });

// in our constructor
this.shadowRoot.innerHTML = policy.createHTML(`<style>${css}</style>`)

This is the same way LitHTML and Polymer have solved the problem:

Importance

i cannot use svelte without it (it breaks our CSP)
@fallaciousreasoning fallaciousreasoning changed the title TrustedTypes Support in WebComponents Make Svelte WebComponents compatible with trusted-types CSP Dec 22, 2022
@fallaciousreasoning fallaciousreasoning mentioned this issue Dec 22, 2022
Merged
4 tasks
@Conduitry
Copy link
Member

This should be fixed now in 3.56.0.

@fallaciousreasoning fallaciousreasoning mentioned this issue Mar 10, 2023
Merged
@dominikg dominikg mentioned this issue Mar 10, 2023
Merged
@fallaciousreasoning fallaciousreasoning mentioned this issue Nov 27, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: trusted-types CSP compatibility for Web Components fallaciousreasoning/svelte
2 participants
@fallaciousreasoning @Conduitry