Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: Stencil 4.7.2 introduces CSP issue #5102

Closed
3 tasks done
plyworks opened this issue Nov 27, 2023 · 4 comments · Fixed by #5112
Closed
3 tasks done

bug: Stencil 4.7.2 introduces CSP issue #5102

plyworks opened this issue Nov 27, 2023 · 4 comments · Fixed by #5112
Assignees
@tanner-reits
Labels
Bug: Validated This PR or Issue is verified to be a bug within Stencil

Comments

@plyworks
Copy link

Prerequisites

Stencil Version

4.7.2

Current Behavior

index.js:3371 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'nonce-myNonce' ". Either the 'unsafe-inline' keyword, a hash ('sha256-+j8iWsl9MVf18edWBLWXvGwGeA90tRYZxjJ+fI89OSY='), or a nonce ('nonce-...') is required to enable inline execution.

Expected Behavior

https://github.com/ionic-team/stencil/blob/main/src/runtime/bootstrap-lazy.ts#L209

To have the nonce attribute added tot the dataStyles before it is inserted

System Info

System: node 18.16.0
    Platform: darwin (23.1.0)
   CPU Model: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz (16 cpus)
    Compiler: /Users/tvasselt/Projects/clone/beagle/node_modules/@stencil/core/compiler/stencil.js
       Build: 1699889895
     Stencil: 4.7.2 🐄
  TypeScript: 5.2.2
      Rollup: 2.42.3
      Parse5: 7.1.2
      Sizzle: 2.42.3
      Terser: 5.24.0

Steps to Reproduce

  • have Content-Security-Policy set for default-src, style-src and script-src with a nonce
  • upgrade Stencil core to 4.7.2
  • see csp errors

Code Reproduction URL

cannot

Additional Information

No response
@ionitron-bot ionitron-bot bot added the triage label Nov 27, 2023
@tanner-reits tanner-reits self-assigned this Nov 27, 2023
@tanner-reits
Copy link
Contributor

@plyworks Thanks for finding this! Silly mistake on my part. I published a dev build that re-orders the code for inserting those styles into the DOM if you wanna give that a try and verify it solves the issue:
npm i @stencil/core@4.8.0-dev.1701099049.800cac3

@tanner-reits tanner-reits added Awaiting Reply This PR or Issue needs a reply from the original reporter. Bug: Validated This PR or Issue is verified to be a bug within Stencil and removed triage labels Nov 27, 2023
@plyworks
Copy link
Author

@tanner-reits thanks for your quick response! Unfortunately, i get the exact same error.

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-hash60fffc8bc00da' .... ". Either the 'unsafe-inline' keyword, a hash ('sha256-7xelfedyXZ52Vi8+xE7nnZQGPPdbH2aFvZElToAINc0='), or a nonce ('nonce-...') is required to enable inline execution.

@ionitron-bot ionitron-bot bot removed the Awaiting Reply This PR or Issue needs a reply from the original reporter. label Nov 27, 2023
@tanner-reits
Copy link
Contributor

@plyworks Hmmm bummer. Would it be possible to get a small reproduction case? I'm not seeing anything else that would be preventing the nonce attribute from getting applied.

@tanner-reits tanner-reits added the Awaiting Reply This PR or Issue needs a reply from the original reporter. label Nov 27, 2023
tanner-reits pushed a commit that referenced this issue Nov 29, 2023
fix(runtime): apply nonce to data styles before DOM insert
05f4f81 
Reorders the code responsible for inserting the lazy build global styles so that the nonce value is applied prior to inserting into the DOM

Fixes: #5102

STENCIL-1026: Stencil 4.7.2 introduces CSP issue
@tanner-reits tanner-reits mentioned this issue Nov 29, 2023
Merged
2 tasks
github-merge-queue bot pushed a commit that referenced this issue Nov 30, 2023
@tanner-reits
fix(runtime): apply nonce to data styles before DOM insert (#5112)
df46fdc 
* fix(runtime): apply nonce to data styles before DOM insert

Reorders the code responsible for inserting the lazy build global styles so that the nonce value is applied prior to inserting into the DOM

Fixes: #5102

STENCIL-1026: Stencil 4.7.2 introduces CSP issue

* add note for order of operations
@tanner-reits
Copy link
Contributor

The fix for this was included as a part of today's v4.8.1 release!

@ionitron-bot ionitron-bot bot removed the Awaiting Reply This PR or Issue needs a reply from the original reporter. label Dec 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tanner-reits tanner-reits

Labels
Bug: Validated This PR or Issue is verified to be a bug within Stencil
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(runtime): apply nonce to data styles before DOM insert stenciljs/core
2 participants
@plyworks @tanner-reits