Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login/Install Page needs unsafe-inline styles to be allowed by CSP in order to render correctly #1321

Closed
1 task done
n33l4y opened this issue Oct 5, 2021 · 8 comments
Closed
1 task done

Login/Install Page needs unsafe-inline styles to be allowed by CSP in order to render correctly #1321

n33l4y opened this issue Oct 5, 2021 · 8 comments
Assignees
@nelsonwittwer
Labels
bug stale

Comments

@n33l4y
Copy link

n33l4y commented Oct 5, 2021

Description

The login/install page seems to use inline styles and as such does not render as expected when a Content Security Policy that does not allow inline styles is applied. The screenshots below show the login/install page in action without CSP and with a CSP that disallows inline styles

Note that even though the login/install page does not render as expected (when a CSP that disallows inline styles is applied), the Install app button functionality works perfectly fine when invoked.

Login/Install Page (without any CSP) - Renders as expected

without_csp-app_install_page

Login/Install Page (with a CSP that disallows inline styles) - Does not render as expected

with_csp-app_install_page

Is there a way I can configure/initialize shopify_app so that the styles it uses are external (instead of inline) or any other workaround that I can use in my app so that I don't have to relax the content security policy (to allow inline styles) just to ensure that the app login/install page renders correctly?

Steps to Reproduce

  1. I have created a sample app at ns-sample-app
  2. Cloning and running the sample app should reproduce the issue

Expected behavior:

The Login/Install page renders as expected even when a CSP that disallows inline styles is applied. See above screenshots for reference

Actual behavior:

The Login/Install page does not render as expected when a CSP that disallows inline styles is applied. See above screenshots for reference

Reproduces how often:

Every time

Browsers

Tested (and observed) with Firefox but should also happen with other browsers

Gem versions

shopify_app 18.0.2

Additional Information

Security

  • I have redacted any private information from my logs or code snippets.
@n33l4y n33l4y added the bug label Oct 5, 2021
@nelsonwittwer nelsonwittwer self-assigned this Aug 29, 2022
@nelsonwittwer
Copy link
Contributor

#1474 should address the concerns pointed out here, so we are going to close this issue.

If you still encounter this issue with the latest stable version, please reopen using the issue template. You can also contribute directly by submitting a pull request– see the CONTRIBUTING.md(.github/CONTRIBUTING.md) file for guidelines

@nickpith
Copy link
Contributor

@nelsonwittwer I'm not sure #1474 actually fixed this issue. It just adjusts the CSP for the frame-ancestors not style-src.

We just ran into this for another app. The only way to fix it is to set unsafe-inline in the CSP for style-src. However, I believe we can update the login/install page's <style> tags to specify a nonce.

I'm more than happy to put up a PR because using a nonce is the best way to handle this and avoid unsafe-inline.

@nickpith nickpith reopened this Feb 24, 2023
@nelsonwittwer
Copy link
Contributor

@nickpith - I'd love to see a PR if you are interested in seeing this nonce added. Feel free to tag me once you've got the PR ready to roll! Thanks :)

@github-actions
Copy link

This issue is stale because it has been open for 60 days with no activity. It will be closed if no further action occurs in 14 days.

@github-actions github-actions bot added the stale label Jun 13, 2023
@github-actions
Copy link

We are closing this issue because it has been inactive for a few months.
This probably means that it is not reproducible or it has been fixed in a newer version.
If it’s an enhancement and hasn’t been taken on since it was submitted, then it seems other issues have taken priority.

If you still encounter this issue with the latest stable version, please reopen using the issue template. You can also contribute directly by submitting a pull request– see the CONTRIBUTING.md file for guidelines

Thank you!

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jun 27, 2023
@nickpith
Copy link
Contributor

Reopening because I'm still hoping to find some time to make a change for this.

@nickpith nickpith reopened this Jun 27, 2023
@github-actions github-actions bot removed the stale label Jun 28, 2023
@AxelTheGerman AxelTheGerman mentioned this issue Aug 21, 2023
Closed
@github-actions
Copy link

This issue is stale because it has been open for 60 days with no activity. It will be closed if no further action occurs in 14 days.

@github-actions github-actions bot added the stale label Aug 28, 2023
@github-actions
Copy link

We are closing this issue because it has been inactive for a few months.
This probably means that it is not reproducible or it has been fixed in a newer version.
If it’s an enhancement and hasn’t been taken on since it was submitted, then it seems other issues have taken priority.

If you still encounter this issue with the latest stable version, please reopen using the issue template. You can also contribute directly by submitting a pull request– see the CONTRIBUTING.md file for guidelines

Thank you!

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Sep 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nelsonwittwer nelsonwittwer

Labels
bug stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nelsonwittwer @nickpith @n33l4y