react-verification-input icon indicating copy to clipboard operation
react-verification-input copied to clipboard
verified publisher icon andreaswilli

feat(csp): added support for nonce

Open vaske opened this issue 2 years ago • 5 comments

this way CSP could be satisfied and nonce passed to inline styles

vaske avatar Jan 25 '24 16:01 vaske

Thanks for your PR.

I'm not really familiar with CSP and reading the docs did not make it clear what problem this is meant to solve (it also mentions using a hash should be preferred for static content, but I can't tell until I understand the problem).

Do you mind explaining why we need this?

andreaswilli avatar Jan 28 '24 20:01 andreaswilli

@andreaswilli yes, so if you have a web app where you are using 3rd party libraries with CSP you can prevent vulnerabilities and explicitly list from which domain app can inject css/js, since here you are injecting inline CSS without the ability to carry on nonce this is in conflict with CSP policy and it will complain, the solution is to allow to have nonce as an optional parameter and then when injecting to inject nonce, basically user who use your script will pass proper nonce and your code will just inject it in line, another way around would be to make script injectable to some container but IMHO this is a bit cleaner.

vaske avatar Jan 29 '24 06:01 vaske

Thanks. I think I need to learn a bit more about CSP.

andreaswilli avatar Jan 31 '24 19:01 andreaswilli

@andreaswilli great starting point here https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP please let me know do you plan to add this soon if not I'm afraid will need to find another solution for my project, thanks 🙏

vaske avatar Jan 31 '24 20:01 vaske

I'll look into it. Maybe I'll be quick, maybe it'll take a while but can't promise anything, sorry.

andreaswilli avatar Jan 31 '24 22:01 andreaswilli