CSP Nonce Support for generated files #1392
Comments
|
Working in an organization this is a critical feature for us. It's quite a hazzle to add sha values for our styles. Was there any internal discussion in the ionic team about this feature? |
|
Is there any update from the Stencil team in regard of this feature? We also have some concern that limit some of our teams to move ahead with the stencilJs web-components used by our design system. |
|
Hi, Any update on this one? I can't believe nothing have been done yet to handle CSP in stencil libraries. Angular and react have added support for CSP in 2015-2016! I'm also working in a big organization and CSP is a basic security requirement for us. It's a blocker right now! Any update would be appreciated! 👍 @adamdbradley ? Thanks |
|
Hi, |
|
We also need that quite urgently |
|
any updates about this? Also our organisation requires to use a CSP. |
In case that helps: I found out that the inline styles for hydrated components (components are invisible or inherit visibility when having the "hydrated" class) can be suppressed by setting "hydratedFlag: null" in the stencil configuration. Those hydrated styles are supposed to prevent the components from "flickering". Maybe a custom output target could be used to write those css rules into a proper css file and thus not violating the corresponding CSP. There is a corresponding suggestion here (#2245) |
splitinfinities
added
the
Feature: Want this? Upvote it!
|
Hey everyone! Thank you so much for the feedback. We'll be taking this into consideration. |
|
For your information. Our best solution for now was to fork the source files of Stencil and made adjustments to the files Not the best solution, but it works for now. I hope Stencil will come with a better solution in the near future. |
|
@erwingeiger Would you be able to make a PR into Stencil for that? Or do you believe there's a better approach than what you've done? |
|
@splitinfinities I would like, but this is a quick and dirty solution. So I think others can make better approaches. In the file I did this in the files: |
ionitron-bot
bot
added
the
ionitron: stale issue
|
Thanks for the issue! This issue is being closed due to inactivity. If this is still an issue with the latest version of Stencil, please create a new issue and ensure the template is fully filled out. Thank you for using Stencil! |
|
Hey ionitron-bot, we didn't mean to close this. Bad bot! |
rwaskiewicz
removed
the
ionitron: stale issue
|
Initial support for CSP Nonces have been added in today's release of Stencil 2.22.1, with our official guidance on nonce usage with Stencil published here. As a result, I'm going to close this issue. Should anyone run into any issues with the feature, please feel free to open a new issue. Thanks! |
Stencil version:
I'm submitting a:
[ ] bug report
[x] feature request
[ ] support request => Please do not submit support requests here, use one of these channels: https://stencil-worldwide.herokuapp.com/ or https://forum.ionicframework.com/
Current behavior:
Same as the closed issue - #496
When bundling we automatically create an inline style which violates the strict CSP usage
Whilst a workaround is to add each individual sha to the CSP policy it isn't ideal and not a nice dev experience.
In webpack this was achieved by adding a top-level nonce value which would then be added to all at bundle time. - styled-components/styled-components#887
Expected behavior:
To be able to provide a nonce for styles (should be for all scripts, img etc...) that will be added to all build-generated scripts, styles etc... Allowing apps to be CSP ready out of the box.
Steps to reproduce:
Add CSP Policy for style-src 'self' and run app.
The text was updated successfully, but these errors were encountered: