Support CSP by adding __webpack_nonce__

Question

Support CSP by adding __webpack_nonce__

Closed this issue 2 years ago · 4 comments

kristina-stepanaviciene-devbridge commented 2 years ago

react-horizontal-scrolling-menu does not work with Content Security Policy due to injected inline styles, the error is thrown: "Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' ...". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.".

Some other libraries provide a way to add webpack_nonce, for example, emotion-js/emotion#2822.

Could something similar be made in react-horizontal-scrolling-menu?

Seems like style-loader is used, which is generating inline styles. This might be a reason why CSP is violated.

Answer 1 · 2022-08-04T07:08:46.000Z

I will take a look later.

Answer 2 · 2022-08-06T09:30:13.000Z

Btw need way to reproduce it, but i'm not sure i can fix it. I'm using rollup for production build.

Answer 3 · 2022-08-08T07:18:49.000Z

Hi @asmyshlyaev177 , I'm facing the same issue. I forked your basic sample and added <meta http-equiv="Content-Security-Policy" content="style-src 'self'" /> to index.html

https://codesandbox.io/s/basic-example-forked-d6wq5i?file=/public/index.html

Now if you check browser logs, you'd see that Chrome e.g. blocks the style loading with

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

Answer 4 · 2022-08-08T07:22:24.000Z

Hi @asmyshlyaev177 , I'm facing the same issue. I forked your basic sample and added <meta http-equiv="Content-Security-Policy" content="style-src 'self'" /> to index.html

https://codesandbox.io/s/basic-example-forked-d6wq5i?file=/public/index.html

Now if you check browser logs, you'd see that Chrome e.g. blocks the style loading with

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.

Can you try to use https://www.npmjs.com/package/csp-html-webpack-plugin ?