-
-
Notifications
You must be signed in to change notification settings - Fork 32.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP docs are a little unclear - can I help improve them? #17566
Comments
@johnnyreilly Thank you for raising this concern. Security is too often overlooked. To be honest, the last time I have faced this problem, I ended up using the following: import helmet from 'helmet'
// ...
const app = express()
app.use(
helmet({
// TODO Should we restrict the policy ?
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
contentSecurityPolicy: {
directives: {
defaultSrc: ['*', 'blob:'], // Blob for upload support
styleSrc: ['*', "'unsafe-inline'"],
scriptSrc: ['*', "'unsafe-inline'", "'unsafe-eval'"],
frameAncestors: ["'none'"],
reportUri: config.get('sentry.reportCSP'),
},
// Don't support old version and help with CDN
browserSniff: false,
disableAndroid: true,
},
frameguard: {
action: 'deny', // Disallow embedded iframe
},
})
)
Yes, you are right, it's the message we have tried to communicate. Do you think that we could improve the wording? I have seen a related issue in styled-components/styled-components#2363. It doesn't seem to be a concern a lot of people handle/try to handle. Regarding our documentation, we don't do anything about it: https://securityheaders.com/?q=https%3A%2F%2Fmaterial-ui.com%2F&followRedirects=on. |
Awesome - that's good. Yes I think the wording could be made more explicit that that's the case. For instance, as I read the original I was wondering if:
Perhaps the wording could be expanded to something like: Then, you must pass this nonce to JSS so it can add it to subsequent The way that you do that is by passing a You must include this header regardless of whether or not SSR is used.
What do you think? |
I think that the proposal will help 👍. Do you want to open à pull request? :) |
Yeah I'll try to. Crazy busy right now though - ping me if I forget |
hi @johnnyreilly - I'm developing with a standard stack with Create React App (CRA) with Material UI (MUI) running with CSP that the security team wanted to put in place, but it's failing with 'style-src' with inline css because MUI has components with inline styling. Wondering if that's something that you ran into. I've been looking around for solution but I too am feeling lost. |
There is still an open discussion about it in #19938. |
First of all, thank you for Material UI - I love it; it's super cool!
I've been looking into how to support CSP with Material UI; specifically using a
style-src
. I've been reading the docs here: https://material-ui.com/styles/advanced/#content-security-policy-cspThey start off great but I must confess to getting a little lost by the end. Having spent a bunch of time googling and seeing others who also seem to be a little confused.
See:
I thought I'd see if I could start a discussion with the desire of discovering the answer and hopefully using that to subsequently improving the docs 🤗
The part where the docs start to get a little mysterious is here:
This is not particularly clear to me; the "you must pass this nonce to JSS". How exactly does this happen? Is the idea that our
page.html
should include thismeta
property in the head? Like this:And that JSS looks for a
csp-nonce
meta property by default?i.e. There's no need to write a line of code that says "hey JSS, this is the nonce you need", rather that JSS will by convention look for the
csp-nonce
meta property in yourhtml>head
when it boots and use the value as a nonce if it is found.Or am I totally barking up the wrong tree? Totally possible!
It's worth saying that the JSS docs are similarly somewhat ambiguous: https://cssinjs.org/csp/?v=v10.0.0
Finally I'm wondering whether it's worth mentioning approaches around hashing in the docs:
https://github.com/slackhq/csp-html-webpack-plugin
I don't know enough around this topic to say though.
The text was updated successfully, but these errors were encountered: