-
Notifications
You must be signed in to change notification settings - Fork 683
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login/Install Page needs unsafe-inline
styles to be allowed by CSP in order to render correctly
#1321
Comments
#1474 should address the concerns pointed out here, so we are going to close this issue. If you still encounter this issue with the latest stable version, please reopen using the issue template. You can also contribute directly by submitting a pull request– see the CONTRIBUTING.md(.github/CONTRIBUTING.md) file for guidelines |
@nelsonwittwer I'm not sure #1474 actually fixed this issue. It just adjusts the CSP for the We just ran into this for another app. The only way to fix it is to set I'm more than happy to put up a PR because using a nonce is the best way to handle this and avoid |
@nickpith - I'd love to see a PR if you are interested in seeing this nonce added. Feel free to tag me once you've got the PR ready to roll! Thanks :) |
This issue is stale because it has been open for 60 days with no activity. It will be closed if no further action occurs in 14 days. |
We are closing this issue because it has been inactive for a few months. If you still encounter this issue with the latest stable version, please reopen using the issue template. You can also contribute directly by submitting a pull request– see the CONTRIBUTING.md file for guidelines Thank you! |
Reopening because I'm still hoping to find some time to make a change for this. |
This issue is stale because it has been open for 60 days with no activity. It will be closed if no further action occurs in 14 days. |
We are closing this issue because it has been inactive for a few months. If you still encounter this issue with the latest stable version, please reopen using the issue template. You can also contribute directly by submitting a pull request– see the CONTRIBUTING.md file for guidelines Thank you! |
Description
The login/install page seems to use
inline styles
and as such does not render as expected when a Content Security Policy that does not allowinline styles
is applied. The screenshots below show the login/install page in action without CSP and with a CSP that disallowsinline styles
Note that even though the login/install page does not render as expected (when a CSP that disallows
inline styles
is applied), theInstall app
button functionality works perfectly fine when invoked.Login/Install Page (without any CSP) - Renders as expected
Login/Install Page (with a CSP that disallows inline styles) - Does not render as expected
Is there a way I can configure/initialize
shopify_app
so that the styles it uses are external (instead of inline) or any other workaround that I can use in my app so that I don't have to relax the content security policy (to allowinline styles
) just to ensure that the app login/install page renders correctly?Steps to Reproduce
Expected behavior:
The Login/Install page renders as expected even when a CSP that disallows
inline styles
is applied. See above screenshots for referenceActual behavior:
The Login/Install page does not render as expected when a CSP that disallows
inline styles
is applied. See above screenshots for referenceReproduces how often:
Every time
Browsers
Tested (and observed) with Firefox but should also happen with other browsers
Gem versions
shopify_app 18.0.2
Additional Information
Security
The text was updated successfully, but these errors were encountered: