Avoid inline styles in server-side directives (SSR) to allow nonce-based CSPs #11864
Comments
|
Not sure what is the exact problem here and what cannot be achieved but the proposed solution using a custom class name for Is this what you are looking for #11826 ? |
|
Not exactly. The referenced issue is about adding nonces to generated style or script element. While also an important aspect in complete CSP support, it does not solve the issue described here which is about inline style attributes. Inline Attributes ( |
|
Preventing inline styles is a pretty strict CSP directive, I'd only recommend this setting in highly secure settings. An alternative is to do a hash of the style content that v-show produces and add that as a safe value. This will mean you don't need to specify the nonce wherever v-show may appear. I'd still highly recommend allowing inline styles, especially if you have a strict CSP policy for scripts. As far as I know scripting would be required to inject inline styles, so I can't see the benefit of preventing inline styles at this stage. |
|
I think you are mostly right. However there are some problems with this approach: Using hashes for inline-attributes is a CSP Level 3 feature and requires the 'unsafe-hashes' attribute, which is not supported in Safari for example. This leaves you no other choice than falling back to domain whitelists and 'unsafe-inline' for styles. Domain whitelists are hard to maintain however and can open security vulnerabilities e.g. when whitelisting CDNs too broadly. |
|
@aKzenT indeed which is why I recommend just allowing https://csp-evaluator.withgoogle.com/ Even enabling I would say that if you really care for protection against styles then I'd question the use of any dependency in your project as they pose more risk than inline styles. |
|
Are you suggesting to not use any CSP rule for styles (just allowing everything)? Or do you still see a value in using a domain whitelist? Because it's not possible to use a 'nonce' for external styles and 'unsafe-inline' for attributes. Using nonces automatically disables 'unsafe-inline'. We will probably take the route of using a domain whitelist for now, but this is a configuration PITA because we already have all the infrastructure to propagate nonces through all loaded scripts and styles, but we would still need to change to domain whitelists as 'unsafe-inline' does not support anything else in combination. |
|
Our CSP policy for style is |
thanks a lot you are a good man |
What problem does this feature solve?
Currently when using the v-show directive server-side it produces style="display:none;" attributes on HTML elements. These collide with using a nonce-based CSP (content security policy level 2) setup as CSP Level 2 does not have a method to whitelist inline style attributes. CSP Level 3 allows this by using 'unsafe-hashes' and whitelisting the hash-value of the generated style attribute, but is not supported yet by all browsers (e.g. Safari). This makes it currently impossible to use a nonce-based CSP when using v-show and server-side rendering.
What does the proposed API look like?
E.g. Allow configuration of a custom class name that is used by v-show instead of the inline-styles.
The text was updated successfully, but these errors were encountered: