stencil icon indicating copy to clipboard operation
stencil copied to clipboard
verified publisher icon ionic-team

feat: possibility to add nonce attribute on script and style tags

Open erwingeiger opened this issue 4 years ago • 5 comments

This is about this topic: https://github.com/ionic-team/stencil/issues/1392 I added the possibility to add a nonce attribute on the

erwingeiger avatar Aug 10 '21 14:08 erwingeiger

Update.

After implementing the nonce, we still have problems with unsafe-eval. I've seen someone has a solution for this: https://github.com/ionic-team/stencil/pull/1287. Unfortunately the PR was closed because it was not supported in older browsers. Now we are a few years later. IE11 is not supported anymore. Is it possible to add it now?

erwingeiger avatar Oct 08 '21 13:10 erwingeiger

FYI, Firefox blocks all inline styles without a nonce. So basically Stencil cannot be used in production. Please prioritize this issue!

kliehm avatar Jan 11 '22 09:01 kliehm

@kliehm Can you provide an example of Firefox blocking inline styles without a nonce? I'm able to get the following (although basic) HTML with inline CSS to render just fine in the following versions of Firefox:

  • 95.0.2 (64-bit)
  • 96.0b10 (64-bit)
<!DOCTYPE html>
<html>
<body>

<h1 style="color:blue;text-align:center;">This is a heading</h1>
<p style="color:red;">This is a paragraph.</p>

</body>
</html>

EDIT: I didn't see #3203 until after I commented here. Let's move the discussion to #3203

rwaskiewicz avatar Jan 11 '22 13:01 rwaskiewicz

@rwaskiewicz It will go wrong where insertBefore is being used. Take this as an example. Screenshot 2022-03-10 at 11 57 23

Maybe te best solution would be what I created in this PR: https://github.com/ionic-team/stencil/pull/2996 We still use this solution but it's a 'hacky' way. Everytime we update Stencil core we have to manually add this functionality to create these nonce values.

Could you add this functionality in the core? A lot of people would be very pleased!

erwingeiger avatar Mar 10 '22 11:03 erwingeiger

Update.

After implementing the nonce, we still have problems with unsafe-eval. I've seen someone has a solution for this: #1287. Unfortunately the PR was closed because it was not supported in older browsers. Now we are a few years later. IE11 is not supported anymore. Is it possible to add it now?

What I said above is solved because we don't support IE11 anymore. Using the nonce is still necessary but with that we will not get any errors anymore

erwingeiger avatar Mar 10 '22 11:03 erwingeiger

Initial support for CSP Nonces have been added in today's release of Stencil 2.22.1, with our official guidance on nonce usage with Stencil published here. As a result, I'm going to close this pull request. Thanks again for helping making Stencil better!

rwaskiewicz avatar Jan 17 '23 21:01 rwaskiewicz

Initial support for CSP Nonces have been added in today's release of Stencil 2.22.1, with our official guidance on nonce usage with Stencil published here. As a result, I'm going to close this pull request. Thanks again for helping making Stencil better!

That is great news @rwaskiewicz! Thank you for this.

erwingeiger avatar Jan 17 '23 21:01 erwingeiger