Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Export Excel with enable CSP #194

Closed
kostuk opened this issue May 25, 2023 · 7 comments
Closed

Export Excel with enable CSP #194

kostuk opened this issue May 25, 2023 · 7 comments

Comments

@kostuk
Copy link

kostuk commented May 25, 2023

It get error in console

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-fvLdnKXmxntehxxIMVSB5YnK+8d92LveagzKckkSwX8=' 'sha256-GNRobwOTyGkozwJdtGT1E9I56OarlRhieZn/F+TNgE8=' 'sha256-vK1+3up6XZFYcAPUBBXM6GUs17xUZBHFVfTOuf9gmng=' 'sha256-glb80g0YSZJ4+Iqv0pIJEIZkAgKUqpLrDc+LvKAGqkk=' 'sha256-j5x3OyPLy5hpwkYnV9YYltBj+QRBKmkbfNzoXl0gchA=' 'sha256-WR7qzNkY4rs4D8buIweX2fTWpDKTBiTFUwg2dtOWHxo=' 'sha256-OYqGOQCX6Gi3nDyz8GKw3p5VbYdq44yqXgoDgvVJdPU=' 'sha256-RvAvREUHojDuwHylTVWZp9DhleqLs6ml8G7LpjCF+EY=' 'sha256-OzRQ42XE++h1N4x+cOYeQE8s9BxAfc45zdfTkIfO8LM='". Either the 'unsafe-inline' keyword, a hash ('sha256-ICa0DhwZQJsOd/Rn0N8H6FdQ71GfNL+op2zhAQ+Y4mM='), or a nonce ('nonce-...') is required to enable inline execution.

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-hashes' 'sha256-fvLdnKXmxntehxxIMVSB5YnK+8d92LveagzKckkSwX8=' 'sha256-GNRobwOTyGkozwJdtGT1E9I56OarlRhieZn/F+TNgE8=' 'sha256-vK1+3up6XZFYcAPUBBXM6GUs17xUZBHFVfTOuf9gmng=' 'sha256-glb80g0YSZJ4+Iqv0pIJEIZkAgKUqpLrDc+LvKAGqkk=' 'sha256-j5x3OyPLy5hpwkYnV9YYltBj+QRBKmkbfNzoXl0gchA=' 'sha256-WR7qzNkY4rs4D8buIweX2fTWpDKTBiTFUwg2dtOWHxo=' 'sha256-OYqGOQCX6Gi3nDyz8GKw3p5VbYdq44yqXgoDgvVJdPU=' 'sha256-RvAvREUHojDuwHylTVWZp9DhleqLs6ml8G7LpjCF+EY=' 'sha256-OzRQ42XE++h1N4x+cOYeQE8s9BxAfc45zdfTkIfO8LM='". Either the 'unsafe-inline' keyword, a hash ('sha256-ZD0chCyBaNHl+4UwQHJIHGoYhKwMeyCXGgJTKW5/67E='), or a nonce ('nonce-...') is required to enable inline execution.

function to parse xml dont work

var rels = getXml('xl/worksheets/sheet1.xml');
this xml.

			"xl/worksheets/sheet1.xml":
		'<?xml version="1.0" encoding="UTF-8" standalone="yes"?>'+
		'<worksheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac">'+
			'<sheetData/>'+
			'<mergeCells count="0"/>'+
		'</worksheet>',

I text free stile xml use Jquery it get error too.
But well know xml like rss work good

$.parseXML( "<rss version='2.0'><channel><title>RSS Title</title></channel></rss>" );
@AllanJard
Copy link
Contributor

Thanks for letting me know about that. I'll dig into it next week. It might require the XML to be created using nodes rather than just a string :(

@AllanJard
Copy link
Contributor

I haven't been able to reproduce this error I'm afraid.

If I add a simple meta tag to enable CSP:

<meta http-equiv="Content-Security-Policy" content="style-src 'self'">

And setup the table to allow Excel file creation - then it works okay: https://live.datatables.net/wociliya/1/edit .

What am I missing?

@kostuk
Copy link
Author

kostuk commented Jun 2, 2023
edited
Loading

It my mistake.
I use CSP for require-trusted-types-for 'script';
Get error "This document requires 'TrustedHTML' assignment."
Next i define default TrustedHTML

use DOMPurify

if (window.trustedTypes && window.trustedTypes.createPolicy) {
	trustedTypes.createPolicy('default', {
		createHTML: (input) => {
			return DOMPurify.sanitize(input, { RETURN_TRUSTED_TYPE: true })

		}
	});
}

Soo xml past to DOM sanitize.

@AllanJard
Copy link
Contributor

Sorry I/m not quite following allong. Can you let me know what I need to set the CSP to to see this error please? Or perhaps you could update this example to demonstrate the issue?

@kostuk
Copy link
Author

kostuk commented Jun 17, 2023

yes
New Example
I add

<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'" />

And have error
Uncaught TypeError: Failed to set the 'innerHTML' property on 'Element': This document requires 'TrustedHTML' assignment.

If fix this error

if (window.trustedTypes && window.trustedTypes.createPolicy) {
window.trustedTypes.createPolicy('default', {
createHTML: (string, sink) => ..... for example DOMPurify.sanitize
});
}

Need use sanitize for XML Excel too

@AllanJard
Copy link
Contributor

Thanks. The error is actually coming from jQuery there. Interestingly enough, Firefox doesn't implement that CSP and it runs fine. It fails in Chrome though.

It looks like there is an open issue on the jQuery repo for this.

@AllanJard
Copy link
Contributor

Looking in on this again, and if you have require-trusted-types-for 'script' then you need to provide a sanitizer for the createHTML type. As a hack you can use:

window.trustedTypes.createPolicy('default', {
  createScriptURL: (s) => s,
  createHTML: s => s,
});

Although obviously that negates any security. Don't do it! However, if you are specifying tight security for writing to the DOM, you need to provide a sanitizer, and this is the construct you'd used for it. I don't think it is the responsibility of this library to provide that (in the same way that it doesn't set the CSP), therefore going to close as out of scope.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kostuk @AllanJard