StickyTableHeaders icon indicating copy to clipboard operation
StickyTableHeaders copied to clipboard

Published 20 hours ago verified publisher icon jmosbech

Use of inline styles prevents good security via CSP

Open nathanl opened this issue 7 years ago • 3 comments

I'm working on a site that uses this plugin (v0.1.19). To improve site security, I'm adding a Content Security Policy which, among other things, does not allow inline styles. The security risk posed by these is covered in this talk. In general, it's stuff like "if you allow inline styles, an attacker might somehow get <style> tags into your site that add deceptive elements, query for information in the page using attribute selectors, send data back to the attacker by setting specially-named background image URLs, etc."

We want to make that impossible. As an example CSP, if I send the very permissive header Content-Security-Policy:default-src *, it means "you can source scripts or styles or anything else from anywhere". But because that header doesn't whitelist inline scripts or styles, it implicitly forbids them.

When I load a page in my app that uses this plugin and sends that CSP header, I get an error in the Chrome developer console:

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src *". Either the 'unsafe-inline' keyword, a hash ('sha256-7BWCoAyyyh4N57ifiNqsR2logKoVQnqkizK8Ya5j02g='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

Clicking on the error message gives me a stack trace that isn't super clear, but I found that if I comment out these lines that create and append a <style> tag, the warning disappears.

Could you instead provide this style as sticky-table-headers-print-styles.css or something similar to allow setting a CSP?

nathanl avatar Mar 07 '17 16:03 nathanl

Another possible reason to change this - it appears that the current code is appending that <style> tag multiple times, which is unnecessary, right?

nathanl avatar Mar 07 '17 16:03 nathanl

For those interested this works better and does not even use js. It is a bit more work to implement. https://codepen.io/tfzvang/pen/WQBwVo

florisvdk avatar Oct 29 '18 09:10 florisvdk

I am also running into an issue where CSP is flagging this script. It looks like it's still there in latest. Has there been any plans to update and improve it?

jswart avatar Feb 29 '20 00:02 jswart