Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

This library should work with a "strict" Content Security Policy #93

Open
JasonStoltz opened this issue Feb 15, 2019 · 6 comments
Open

This library should work with a "strict" Content Security Policy #93

JasonStoltz opened this issue Feb 15, 2019 · 6 comments
Assignees
@yakhinvadim
Labels
enhancement pinned

Comments

@JasonStoltz
Copy link
Member

For reference: elastic/eui#1431
@JasonStoltz
Copy link
Member Author

I did the following to test this. Testing was performed in the "examples/sandbox" project.

I added the following policy in a meta tag in index.html.

<meta
      http-equiv="Content-Security-Policy"
      content="base-uri 'self'; object-src 'none'; script-src 'self' ; style-src 'self'; style-src-elem 'self' https://fonts.googleapis.com 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='"
    />

And ran it with:

cd examples/sandbox
npm run build
npm install -g serve
serve -s build

As you can see in the policy above, I had to make the following adjustments:

The first thing I had to do was add https://fonts.googleapis.com as a trusted domain for style-src-elem, since our stylesheet imports styles from there. I think this is OK.

The second thing I had to do was add a hash for style-src-elem, since it appears that our dependency, react-select, adds inline styles to the dom using the emotion library.

I believe the second issue will need to be addressed. Either by:

A) Removing the dependency
B) Disable styles being injected by the dependency and provide all of our own styles

@JasonStoltz JasonStoltz changed the title This library should be tested a Strict Content Policy. This library should work with a Strict Content Security Policy Jun 25, 2019
@JasonStoltz JasonStoltz changed the title This library should work with a Strict Content Security Policy This library should work with a "strict" Content Security Policy Jun 26, 2019
This was referenced Jul 2, 2019
Closed
Merged
@botelastic
Copy link

botelastic bot commented Feb 13, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Is this issue still important to you? If so, please leave a comment and let us know. As always, thank you for your contributions.

@botelastic botelastic bot added the wontfix This will not be worked on label Feb 13, 2020
@botelastic botelastic bot closed this as completed Feb 20, 2020
@yakhinvadim
Copy link
Contributor

I'd like to reopen this.
Looks like the fonts have been fixed already in #293
And react-select issue can be solved by updating it to v3: JedWatson/react-select#3585 (search for "CSP").

@yakhinvadim yakhinvadim reopened this Feb 27, 2020
@botelastic botelastic bot removed the wontfix This will not be worked on label Feb 27, 2020
@JasonStoltz
Copy link
Member Author

Updating to react-select v3 will likely be a breaking change, as the markup and classnames will likely be differently.

If we do this, I think we need to take the approach of deprecating the old component and adding a new component which can be opted into.

This could be a global configuration for Search UI, one that conditionally loads v3 instead of v2.

@botelastic
Copy link

botelastic bot commented Apr 28, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Is this issue still important to you? If so, please leave a comment and let us know. As always, thank you for your contributions.

@botelastic botelastic bot added the wontfix This will not be worked on label Apr 28, 2020
@JasonStoltz JasonStoltz added pinned and removed wontfix This will not be worked on labels Apr 28, 2020
@JasonStoltz
Copy link
Member Author

@yakhinvadim If you get a moment, could you see if this is solved after updating react select?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yakhinvadim yakhinvadim

Labels
enhancement pinned
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JasonStoltz @yakhinvadim