Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CSP support #33

Open
MisterGoodcat opened this issue Sep 26, 2018 · 11 comments
Open

Add CSP support #33

MisterGoodcat opened this issue Sep 26, 2018 · 11 comments

Comments

@MisterGoodcat
Copy link

At some point, style-loader added support for nonces to somewhat ease CSP issues. Without this support, you have to allow unsafe inline styles. This currently is the case with vue-style-loader, which is an issue in tight CSP scenarios. Is there any chance to add similar support to vue-style-loader?

Link to the original issue in style-loader: webpack-contrib#306
Link to the source that provides nonce support: https://github.com/webpack-contrib/style-loader/blob/master/lib/addStyles.js#L211

Further read: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src#Sources (see "nonce")

Note: The static compile-time support in style-loader is not exactly how it is supposed to work (also see the linked article). A proper solution would support dynamic nonces that change by request. Other frameworks solve this in various ways, for example by looking for a well-known style tag in the page source and take the nonce from there if available. That way the host has full control over when and how new nonces are created.
@transcranial transcranial mentioned this issue Jul 11, 2019
Open
@FeatureSpitter
Copy link

What the hell are they waiting for to accept the PR and fix this??

@gwynnarth
Copy link

I would like to see that resolved too. At this point I need to allow unsafe-inline in my application which is far from what I'd like.

@gwynnarth gwynnarth mentioned this issue Jan 31, 2020
Open
@limeandcoconut
Copy link

Can we see some movement on this? I don't think this is an acceptable security vuln.

@stgogm
Copy link

stgogm commented Jul 22, 2020

This could also solve this issue https://github.com/webpack-contrib/style-loader#linktag

@bpkennedy
Copy link

Is there a reason we can't merge this PR? Sure would be helpful.

@jaananvelt
Copy link

Looking forward for this PR to merge. It would be very helpful. Thank you in advance!

@Kwaadpepper
Copy link

This should really come in handy !

@sarkiroka
Copy link

4 years birthday is coming soon

@FeatureSpitter
Copy link

This project is dead.

RIP

image

@stgogm
Copy link

stgogm commented Sep 12, 2022

@FeatureSpitter @sarkiroka It is...
image

@Kwaadpepper
Copy link

Kwaadpepper commented Sep 13, 2022
edited
Loading

My solution for this as I am using webpack, all vue styles are going into a separate css file using runtime only. This is the only way I found. https://v2.vuejs.org/v2/guide/installation.html#CSP-environments
https://v2.vuejs.org/v2/guide/deployment.html#Extracting-Component-CSS

There is much improvement on performances. Also my setup is using vue3 on runtime only + typescript + laravelmix with eslint.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@gwynnarth @stgogm @bpkennedy @Kwaadpepper @MisterGoodcat @sarkiroka @limeandcoconut @jaananvelt @FeatureSpitter