Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add nonce as props for inline style #48

Open
acreations opened this issue May 10, 2024 · 9 comments
Open

Add nonce as props for inline style #48

acreations opened this issue May 10, 2024 · 9 comments

Comments

@acreations
Copy link

Is your feature request related to a problem? Please describe.
Im using a nonce as a CSP rules for inline styles and when running this library CSP rules are complaining

Describe the solution you'd like
Not sure if it is the best approach but could we have nonce as props to OTPInput and added when having inline style (on row 174 in input.tsx file)

@guilhermerodz
Copy link
Owner

hey @acreations I don't get exactly what this issue is about and how to reproduce.

can you clarify on that?

@guilhermerodz guilhermerodz reopened this Aug 9, 2024
@guilhermerodz guilhermerodz closed this as not planned Won't fix, can't repro, duplicate, stale Aug 9, 2024
@paulschuetz
Copy link

paulschuetz commented Nov 15, 2024

Hey!

Content-Security-Policies are an essential tool to protect users from bad code being executed on the users device.

If you have a basic content security policy, like Content-Security-Policy: "style-src 'self'" you get the following error.

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'

This is due to the following code. which programatically adds styles inline.

document.head.appendChild(styleEl)

Instead the styles should be in a separate stylesheet and the script should only set the styles via css class names as far as I understand. Do you understand what I mean?

would be great if we could fix this as this make the adoption of this library very difficult when working with CSPs.

@paulschuetz
Copy link

@guilhermerodz Can you reproduce this? Are you open for contributions regarding this issue? 😃

@paulschuetz
Copy link

w3c/webappsec-csp#399 related issue

@paulschuetz
Copy link

I think reading the current nonce from the script via document.currentScript.nonce and setting the nonce to the stylesheet (if present) via style.setAttribute('nonce', nonce) could already do the trick.

@guilhermerodz
Copy link
Owner

guilhermerodz commented Nov 19, 2024

Hey!

Content-Security-Policies are an essential tool to protect users from bad code being executed on the users device.

If you have a basic content security policy, like Content-Security-Policy: "style-src 'self'" you get the following error.

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'

This is due to the following code. which programatically adds styles inline.

document.head.appendChild(styleEl)

Instead the styles should be in a separate stylesheet and the script should only set the styles via css class names as far as I understand. Do you understand what I mean?

would be great if we could fix this as this make the adoption of this library very difficult when working with CSPs.

Now I get it. I'll see what we can do about it.

Perhaps style.setAttribute('nonce', nonce) can fix it

Have you tried it? @paulschuetz

@guilhermerodz guilhermerodz reopened this Nov 19, 2024
@paulschuetz
Copy link

Hey!
Content-Security-Policies are an essential tool to protect users from bad code being executed on the users device.
If you have a basic content security policy, like Content-Security-Policy: "style-src 'self'" you get the following error.

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'

This is due to the following code. which programatically adds styles inline.
document.head.appendChild(styleEl)
Instead the styles should be in a separate stylesheet and the script should only set the styles via css class names as far as I understand. Do you understand what I mean?
would be great if we could fix this as this make the adoption of this library very difficult when working with CSPs.

Now I get it. I'll see what we can do about it.

Perhaps style.setAttribute('nonce', nonce) can fix it

Have you tried it? @paulschuetz

Not yet, should I come up with a POC?

@paulschuetz
Copy link

paulschuetz commented Nov 20, 2024

seems to work, see https://github.com/paulschuetz/csp-inline-styles-poc
should be quite easy to implement for this library! Can you do it? Or do you need support?

@guilhermerodz
Copy link
Owner

hey, I still have no idea how to implement this and didn't have time for it. can you make a PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants