Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add nonce to style element for Content Security Policy #663

Merged
merged 1 commit into from
Apr 29, 2017

Conversation

akihikodaki
Copy link
Contributor

No description provided.

@bvaughn
Copy link
Owner

bvaughn commented Apr 28, 2017

Hey @akihikodaki. ELI5?

@akihikodaki
Copy link
Contributor Author

Sure.

The specification of Content Security Policy
describes as the following:

This document defines Content Security Policy, a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS).

To apply Content Security Policy, you need to have this change and to pass a nonce to react-virtualized and accordingly set nonce-source to Content-Security-Policy field in HTTP header.

@bvaughn
Copy link
Owner

bvaughn commented Apr 28, 2017

Yeah, I saw that change you added to the docs/usingAutoSizer.md. What wasn't clear to me was...what AutoSizer (or react-virtualized) has to do with CSP. Is it because of the fact that it's inserting a style tag?

@akihikodaki
Copy link
Contributor Author

Yes. We have the following choices to make it compatible with CSP:

  • Add unsafe-inline to style-src.
  • Add the hashes of all possible cases to style-src.
  • Add nonce to style-src and inserted style.

unsafe-inline is obviously not good. Adding the hashes is viable since there are just four patterns, but it is redundant and lacks compatibility. Nonce is the best solution in this case.

@bvaughn
Copy link
Owner

bvaughn commented Apr 29, 2017

Cool. Thanks for elaborating.

@bvaughn
Copy link
Owner

bvaughn commented Apr 29, 2017

Released as 9.7.4.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants