add option to log hashes of svelte style blocks (needs svelte patch too) #21
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When command-pal runs, svelte inject style blocks into the page.
These style blocks will not be applied if you use Content Security
Policies (CSP) to secure your web application. To allow them to be
applied, you need to add hashes for the style blocks to the style-src
(or default-src) CSP settings.
This patch adds a reportStyleHash option to CommandPal. This along
with a modification to the append() function in the node module
svelte/internal/index.mjs results in console.log
output like:
svelte-1qhguwm-style 'sha256-gwaXl9ypsP5M+Pl7IPC4TdkehJgQRvkKmcYSf6NCydU='
svelte-bvn01s-style 'sha256-uBf9jI60SnIb3YTm/PeNRoEUOwpLyiOgSOmdm9XR8v8='
svelte-1ary9cc-style 'sha256-RpNJcpPx5tmGIdPUg0nsHLh99/fW3Gh85m5Kr+izRG8='
svelte-zz386-style 'sha256-flay8qiGrAOgKV+HMGAUkHtP0Ff+D+FyO2PBYlnYM78='
where the second element is the hash and the first element is the id
for the injected style block. The hashes (including the ') can be
copied into a CSP string.
You should calculate these for your copy of the command-pal JavaScript
library. They should remain the same as long as the library isn't
updated.
To make this work also requires a change be made to a node-module
used to build command-pal.
The file node-modules/svelte/internal/index.mjs needs a modified
definition of the append() function. Modify the append function by
inserting:
if ( node.tagName === "STYLE") {
cp_hashFromString(node.id, node.innerText).then(
function (value) {if (value) { console.log(value) }}
)
}
at the beginning of the function.
This patch includes two versions of cp_hashFromString. It will use
it's internal definitions only if cp_hashFromString is undefined. If
window.cp_hashFromString collides with a different function or
something that is not a function, you will get an error and CommandPal
will not work.
If reportStyleHash is set to false (default), the version that is used
just returns null. This suppresses console output. If reportStyleHash
is set to truthy it invokes a version from
https://stackoverflow.com/a/69486709 to return the base64 encoded
sha256 hash for the style. When the browser calculates the sha256 hash
for the injected style it sees that it matches a sha256 in the CSP
header and applies the style block.
You can also define a cp_hashFromString in script tag in your web page
before invoking CommandPal. In this case, your version will be used so
you could generate sha512 hashes if you wanted.
Note this is a hack. There should be some way to externalize the
injected style blocks so they can be included using <style
nonce="...">. This would eliminate the need to update the CSP with
each new CommandPal release. But I am only smart enough to work
around it this way.
|
The change to App.svelte may not be required. As I was building a bundle from merging my branches |
When not using localhost or https, the crypto libraries are unavailable. Detect this case and alert the user.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When command-pal runs, svelte inject style blocks into the page. These style blocks will not be applied if you use Content Security Policies (CSP) to secure your web application. To allow them to be applied, you need to add hashes for the style blocks to the style-src (or default-src) CSP settings.
This patch adds a reportStyleHash option to CommandPal. This along with a modification to the append() function in the node module svelte/internal/index.mjs results in console.log
output like:
svelte-1qhguwm-style 'sha256-gwaXl9ypsP5M+Pl7IPC4TdkehJgQRvkKmcYSf6NCydU='
svelte-bvn01s-style 'sha256-uBf9jI60SnIb3YTm/PeNRoEUOwpLyiOgSOmdm9XR8v8='
svelte-1ary9cc-style 'sha256-RpNJcpPx5tmGIdPUg0nsHLh99/fW3Gh85m5Kr+izRG8='
svelte-zz386-style 'sha256-flay8qiGrAOgKV+HMGAUkHtP0Ff+D+FyO2PBYlnYM78='
where the second element is the hash and the first element is the id for the injected style block. The hashes (including the ') can be copied into a CSP string.
You should calculate these for your copy of the command-pal JavaScript library. They should remain the same as long as the library isn't updated.
To make this work also requires a change be made to a node-module used to build command-pal.
The file node-modules/svelte/internal/index.mjs needs a modified definition of the append() function. Modify the append function by inserting:
at the beginning of the function.
This patch includes two versions of cp_hashFromString. It will use it's internal definitions only if cp_hashFromString is undefined. If window.cp_hashFromString collides with a different function or something that is not a function, you will get an error and CommandPal will not work.
If reportStyleHash is set to false (default), the version that is used just returns null. This suppresses console output. If reportStyleHash is set to truthy it invokes a version from
https://stackoverflow.com/a/69486709 to return the base64 encoded sha256 hash for the style. When the browser calculates the sha256 hash for the injected style it sees that it matches a sha256 in the CSP header and applies the style block.
You can also define a cp_hashFromString in script tag in your web page before invoking CommandPal. In this case, your version will be used so you could generate sha512 hashes if you wanted.
Note this is a hack. There should be some way to externalize the injected style blocks so they can be included using <style nonce="...">. This would eliminate the need to update the CSP with each new CommandPal release. But I am only smart enough to work around it this way.
See #13 for more details.