Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BPMN viewer conflicts with strict Content-Security-Policy (CSP) style-src directive #1625

Closed
andyflatwhite opened this issue Mar 29, 2022 · 4 comments
Closed

BPMN viewer conflicts with strict Content-Security-Policy (CSP) style-src directive #1625

andyflatwhite opened this issue Mar 29, 2022 · 4 comments
Assignees
@marstamm
Labels
bug Something isn't working channel:support spring cleaning Could be cleaned up one day

Comments

@andyflatwhite
Copy link

andyflatwhite commented Mar 29, 2022
edited by nikku
Loading

Describe the Bug

Steps to Reproduce

  1. Run the BPMN viewer within a web application which has strict style-src directives in its Content Security Policy (CSP) header

Expected Behavior

Style manipulations should be performed in a way which does not break CSP rules.

More Information

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src

the following stylesheets are blocked and won't load [...] Inline style attributes are also blocked [...] As well as styles that are applied in JavaScript by setting the style attribute directly, or by setting cssText

The problematic parts of the BPMN code relate to uses of the domify helper. When used with inline styles, a strict style-src directive will block the styles from taking effect. The styles should be set directly on the element's style property, as shown in the above MDN link.

Environment

Also reported via internal conversation.
@andyflatwhite andyflatwhite added the bug Something isn't working label Mar 29, 2022
andyflatwhite added a commit to andyflatwhite/bpmn-js that referenced this issue Mar 29, 2022
@andyflatwhite
Add DOM style attributes in CSP-compliant way
c40b83f 
CLoses bpmn-io#1625
andyflatwhite added a commit to andyflatwhite/bpmn-js that referenced this issue Mar 29, 2022
@andyflatwhite
fix: add DOM style attributes in CSP-compliant way
4f42a06 
CLoses bpmn-io#1625
andyflatwhite added a commit to andyflatwhite/bpmn-js that referenced this issue Mar 29, 2022
@andyflatwhite
fix: add DOM style attributes in CSP-compliant way
28b17b6 
Closes bpmn-io#1625
@andyflatwhite andyflatwhite mentioned this issue Mar 29, 2022
Closed
@nikku
Copy link
Member

nikku commented Apr 4, 2022

We'd need to decide on a scope (viewer only? navigate viewer?) if we wanted to fix this.

I.e. in our modeler distribution there is a larger number of that disallowed by CSP usages (search for assign\([^.\n]+\.style regex).

@andyflatwhite
Copy link
Author

Thanks @nikku. I don't think I'm best placed to figure out all the packages that might include this issue, but if I could have some help identifying them I'd be happy to create new PRs to include similar fixes. Your link to the modeler distribution shows this is present in other places, but from that I'm not sure where the fix would be applied (although if it's in the same repo I can have another look to see if there are things I might have missed).

I've seen your suggestion in the PR I created and I'll get that actioned soon.

andyflatwhite added a commit to andyflatwhite/bpmn-js that referenced this issue Apr 26, 2022
@andyflatwhite
fix: add DOM style attributes in CSP-compliant way
e924869 
Closes bpmn-io#1625
andyflatwhite added a commit to andyflatwhite/bpmn-js that referenced this issue Apr 26, 2022
@andyflatwhite
fix: add DOM style attributes in CSP-compliant way
f6bdb75 
Closes bpmn-io#1625
@MaxTru MaxTru added the spring cleaning Could be cleaned up one day label May 10, 2022
@MaxTru MaxTru added the backlog Queued in backlog label May 10, 2022 — with bpmn-io-tasks
@MaxTru MaxTru removed the ready Ready to be worked on label May 10, 2022
@bpmn-io-tasks bpmn-io-tasks bot added the in progress Currently worked on label May 16, 2022
@bpmn-io-tasks bpmn-io-tasks bot removed the backlog Queued in backlog label May 16, 2022
marstamm added a commit to bpmn-io/min-dom that referenced this issue May 16, 2022
@marstamm
feat(style): add assignStyle utility
a2b91e6 
related to bpmn-io/bpmn-js#1625
@marstamm marstamm mentioned this issue May 16, 2022
Merged
marstamm added a commit to bpmn-io/min-dom that referenced this issue May 16, 2022
@marstamm
feat(style): add assignStyle utility
c1788a5 
related to bpmn-io/bpmn-js#1625
fake-join bot pushed a commit to bpmn-io/min-dom that referenced this issue May 16, 2022
@marstamm @fake-join
feat(style): add assignStyle utility
4fea4b1 
related to bpmn-io/bpmn-js#1625
This was referenced May 16, 2022
Merged
Merged
@bpmn-io-tasks bpmn-io-tasks bot added needs review Review pending and removed in progress Currently worked on labels May 16, 2022
@barmac
Copy link
Member

barmac commented May 18, 2022

Closed via #1645

@barmac barmac closed this as completed May 18, 2022
@bpmn-io-tasks bpmn-io-tasks bot removed the needs review Review pending label May 18, 2022
@andyflatwhite
Copy link
Author

🎉 Thanks all!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marstamm marstamm

Labels
bug Something isn't working channel:support spring cleaning Could be cleaned up one day
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add DOM style attributes in CSP-compliant way andyflatwhite/bpmn-js
5 participants
@nikku @andyflatwhite @marstamm @barmac @MaxTru