CSP registers style-src conflict with cookiepunch.js
Closed this issue · 2 comments
I have a problem to use CSP-Header with this package.
It gives me this error:
In the code the error is that it doesnt have a nonce value the dynamically added stylesheet.
Can we maybe define this in the settings or other possibility?
function s(e) {
var t = document.createElement("style")
, o = e.attributes || {};
if (void 0 === o.nonce) {
var i = n.nc;
i && (o.nonce = i)
}
if (Object.keys(o).forEach((function(e) {
t.setAttribute(e, o[e])
}
)),
"function" == typeof e.insert)
e.insert(t);
else {
var a = r(e.insert || "head");
if (!a)
throw new Error("Couldn't find a style target. This probably means that the value for the 'insert' parameter is invalid.");
a.appendChild(t)
}
return t
}
@adrian-cerdeira Hey, I also tried to use CSP-Headers in Neos in combination with this package.
I started using https://github.com/LarsNieuwenhuizen/Nieuwenhuizen.ContentSecurityPolicy where the last version is over 6 years old now, so it isn't working anymore. I'm trying to repair the package at the moment and later there will be a working version of the package.
I was able to add nonce-Values to Tags where needed but the value was removed. This is an ongoing issue in Klaro, which is used by CookiePunch. There is an open issue and PR since a long time now in Klaro: klaro-org/klaro-js#441
So hopefully the issue in Klaro will be resolved soon and I'll be able to publish the fixes for the Nieuwenhuizen.ContentSecurityPolicy package and then we can easily use CSP-Headers in Neos.
But in this package here there is no issue with CSP and nonces directly so I think that the issue can be closed @fheinze
@t-heuser Thanks for the information, keep me updated 😃