Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Content Security Policy (CSP) config #4241

Closed
ydcjeff opened this issue Aug 6, 2023 · 3 comments
Closed

Add Content Security Policy (CSP) config #4241

ydcjeff opened this issue Aug 6, 2023 · 3 comments
Assignees
@mertsincan
Labels
Type: New Feature Issue contains a new feature or new component request
Milestone
3.32.0

Comments

@ydcjeff
Copy link

ydcjeff commented Aug 6, 2023

Describe the feature you would like to see added

Currently, PrimeVue creates many style elements and directly append into head tag. While we deploy the app with strict CSP headers, many CSP style errors occur saying failed to inject inline styles.

Thus, to support CSP config, I think we could add a CSP config when creating PrimeVue vue plugin.

app.use(PrimeVue, { csp: /* ... */ });

Is your feature request related to a problem?

Currently, our client apps are deployed with strict CSP report only headers. Although the app works, there are multiple errors in the console and multiple false positive CSP style errors are reported.

Describe the solution you'd like

Provide a CSP config when creating PrimeVue vue plugin, and use the provided CSP values when creating inlin style elements.

app.use(PrimeVue, { csp: /* ... */ });

Describe alternatives you have considered

  • Use 'unsafe-inline', but unfortunately we can't do for our case.
  • Write a Vite plugin that injects setAttribute('nonce', ...) code (we workaround with this for now, however could break between each version).

Additional context

No response
@ydcjeff ydcjeff added Status: Discussion Issue or pull request needs to be discussed by Core Team Type: New Feature Issue contains a new feature or new component request labels Aug 6, 2023
@mertsincan mertsincan added this to the 3.32.0 milestone Aug 10, 2023
@mertsincan mertsincan self-assigned this Aug 10, 2023
@mertsincan mertsincan changed the title Content Security Policy config Add Content Security Policy (CSP) config Aug 11, 2023
@mertsincan
Copy link
Member

Thanks a lot for the report! On 3.32.0, please try;

app.use(PrimeVue, {
    csp: {
        nonce: '...'
    }
});

@ydcjeff
Copy link
Author

ydcjeff commented Aug 11, 2023

Thank you for implementing quickly.

@tugcekucukoglu tugcekucukoglu removed the Status: Discussion Issue or pull request needs to be discussed by Core Team label Aug 11, 2023
@ydcjeff ydcjeff mentioned this issue Aug 14, 2023
Closed
@ElteHupkes
Copy link

@ydcjeff This may not be the place, but is there any indication, here or in some other docs, on how to actually securely use such a nonce value? Unless you're serving the frontend from a backend that randomly rotates the nonce, I fail to understand how a nonce config value is any less unsafe than unsafe-inline.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mertsincan mertsincan

Labels
Type: New Feature Issue contains a new feature or new component request
Projects
None yet
Milestone
3.32.0
Development

No branches or pull requests
4 participants
@ElteHupkes @mertsincan @tugcekucukoglu @ydcjeff