search-ui icon indicating copy to clipboard operation
search-ui copied to clipboard

Published 20 hours ago verified publisher icon elastic

This library should work with a "strict" Content Security Policy

Open JasonStoltz opened this issue 6 years ago • 6 comments

For reference: https://github.com/elastic/eui/issues/1431

JasonStoltz avatar Feb 15 '19 21:02 JasonStoltz

I did the following to test this. Testing was performed in the "examples/sandbox" project.

I added the following policy in a meta tag in index.html.

<meta
      http-equiv="Content-Security-Policy"
      content="base-uri 'self'; object-src 'none'; script-src 'self' ; style-src 'self'; style-src-elem 'self' https://fonts.googleapis.com 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='"
    />

And ran it with:

cd examples/sandbox
npm run build
npm install -g serve
serve -s build

As you can see in the policy above, I had to make the following adjustments:

The first thing I had to do was add https://fonts.googleapis.com as a trusted domain for style-src-elem, since our stylesheet imports styles from there. I think this is OK.

The second thing I had to do was add a hash for style-src-elem, since it appears that our dependency, react-select, adds inline styles to the dom using the emotion library.

I believe the second issue will need to be addressed. Either by:

A) Removing the dependency B) Disable styles being injected by the dependency and provide all of our own styles

JasonStoltz avatar Jun 25 '19 20:06 JasonStoltz

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Is this issue still important to you? If so, please leave a comment and let us know. As always, thank you for your contributions.

botelastic[bot] avatar Feb 13 '20 14:02 botelastic[bot]

I'd like to reopen this. Looks like the fonts have been fixed already in #293 And react-select issue can be solved by updating it to v3: JedWatson/react-select#3585 (search for "CSP").

yakhinvadim avatar Feb 27 '20 19:02 yakhinvadim

Updating to react-select v3 will likely be a breaking change, as the markup and classnames will likely be differently.

If we do this, I think we need to take the approach of deprecating the old component and adding a new component which can be opted into.

This could be a global configuration for Search UI, one that conditionally loads v3 instead of v2.

JasonStoltz avatar Feb 28 '20 12:02 JasonStoltz

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Is this issue still important to you? If so, please leave a comment and let us know. As always, thank you for your contributions.

botelastic[bot] avatar Apr 28 '20 13:04 botelastic[bot]

@yakhinvadim If you get a moment, could you see if this is solved after updating react select?

JasonStoltz avatar Jul 18 '22 20:07 JasonStoltz