Inline style blocks and CSP

[spdawson]

Trix injects a couple of inline <style> blocks into the page <head>: one for the editor itself, and another for the toolbar. Neither block includes a nonce attribute; consequently, the CSP must include 'unsafe-inline' in the style-src directive.

It would be nice to be able to either:

1. Have Trix auto-generate nonce attributes for its inline style blocks, or...
2. Preferably, eliminate the need for these inline <style> blocks altogether

Maybe I'm missing the point, but these <style> blocks appear not to contain anything that could not be factored out into the existing trix.css external stylesheet.

Steps to Reproduce

1. Use Trix
2. Inspect the page source
3. See the inline <style> blocks that Trix has injected

Details

• Trix version: 0.10.1
• Browser name and version: Chromium 56.0.2924.76
• Operating system: Ubuntu 16.04 (64-bit)

[javan]

Hey @spdawson, thanks for the report!

Maybe I'm missing the point, but these <style> blocks appear not to contain anything that could not be factored out into the existing trix.css external stylesheet.

The inline <style> styles are for crucial core functionality and behavior. Without them, the editor may not behave correctly. The trix.css are optional and purely decorative. So, that's the reason they're separate. Technically you're correct, the inline styles could be moved to an external .css file.

I see a couple options:

1. Add a Trix.config option to disable the inline styles and offer them as a .css file alternative.

2. Provide Trix with a nonce to use for its <style> tags, possibly as a <meta name="trix-style-nonce" content="..."> tag. Might look something like:

   --- a/src/trix/core/helpers/custom_elements.coffee
   +++ b/src/trix/core/helpers/custom_elements.coffee
   @@ -35,9 +35,15 @@ insertStyleElementForTagName = (tagName) ->
      element = document.createElement("style")
      element.setAttribute("type", "text/css")
      element.setAttribute("data-tag-name", tagName.toLowerCase())
   +  if nonce = getNonceForStyleElement()
   +    element.setAttribute("nonce", nonce)
      document.head.insertBefore(element, document.head.firstChild)
      element
    
   +getNonceForStyleElement = ->
   +  if element = document.head.querySelector("meta[name=trix-style-nonce]")
   +    element.getAttribute("content")
   +

[stale]

This issue has been automatically marked as stale after 90 days of inactivity. It will be closed if no further activity occurs.

[SleeplessByte]

This should not have been marked as stale (as in: it has not been resolved)

[y-yagi]

It seems not fixed. Is there any plan to fix this in Trix?

[stale]

This issue has been automatically marked as stale after 90 days of inactivity. It will be closed if no further activity occurs.

[SleeplessByte]

It's not stale.

[tilsammans]

Just ignored @SleeplessByte