phoenix_storybook icon indicating copy to clipboard operation
phoenix_storybook copied to clipboard

Published 20 hours ago verified publisher icon phenixdigital

Fix CSP support

Open crkent opened this issue 2 years ago • 1 comments

Code highlighting breaks for applications which set CSPs. This is due to the use of an inline style element to add (Makeup-generated) highlighting.

https://github.com/phenixdigital/phx_live_storybook/blob/a6a8c6beae69fa30f96083acd4cf33b1fc54edea/lib/phx_live_storybook/templates/layout/root.html.heex#L28-L30

To fix this, the simplest solution could be to add support for a nonce parameter from the conn. Happy to submit a pull request for this, if desired.

crkent avatar Oct 13 '22 16:10 crkent

Hey Carson, I wasn't really aware of CSP, thanks for raising this issue. Please open a PR

cblavier avatar Oct 13 '22 19:10 cblavier

👋 @crkent still wanna open a PR on this topic?

cblavier avatar Oct 22 '22 12:10 cblavier

Hi @cblavier, congrats on this super cool library, I absolutely love it!

I was wondering if there is a reason this got closed. I am still getting this.

How to replicate

Make sure the :browser pipeline in the router includes CSP headers

  pipeline :browser do
    # other plugs
    plug :put_secure_browser_headers, %{"content-security-policy" => "default-src 'self'"}
  end

The code snippets won't load the syntax highlighting: Screenshot 2022-12-27 at 11 33 08 AM

gaiabeatrice avatar Dec 27 '22 18:12 gaiabeatrice

Just to add more context, this is an issue Phoenix Live Dashboard was having as well, and the following discussion is very interesting to read to find a similar solution. https://github.com/phoenixframework/phoenix_live_dashboard/issues/183

gaiabeatrice avatar Dec 27 '22 20:12 gaiabeatrice

Thanks for your feedback, Beatrice. I closed the issue because I had no news from @crkent

I will reopen it, and get it fixed!

cblavier avatar Jan 02 '23 09:01 cblavier

Beatrice is my last name, I go by Gaia 😁

Let me know if you need help, I can probably whip up a PR if needed.

gaiabeatrice avatar Jan 02 '23 16:01 gaiabeatrice

Sorry about that, Gaia :) I would gladly take a PR and review it, thanks for proposing.

cblavier avatar Jan 02 '23 17:01 cblavier

Hey Gaia, still want to open a PR? Need any help? Let me know!

cblavier avatar Jan 09 '23 09:01 cblavier

Hi, sorry, I'm having some really busy times this period, I was planning on work on this at the end of this week. If it's too late let me know

gaiabeatrice avatar Jan 09 '23 14:01 gaiabeatrice

No that's fine! I'm still aiming at a 0.5.0 release by the end of the month

cblavier avatar Jan 09 '23 15:01 cblavier

Why was this closed? I am having this issue in the latest version.

Papipo avatar Jul 19 '23 18:07 Papipo

This was closed by lack of external contribution 🤷‍♂️

I'd be more than happy to receive a PR on the topic, I don't know anything about CSP

cblavier avatar Jul 20 '23 06:07 cblavier

Hi sorry for the enormous and inexcusable delay.

I came back to work on this and I am having some issues with some inline styles. I can still open the PR, so someone more expert on the frontend can maybe help.

gaiabeatrice avatar Aug 03 '23 06:08 gaiabeatrice

Thanks a lot, @gaiabeatrice 🙏🙏🙏 It helped me a lot in understanding what CSP and nonces are.

I also had issues with favicons, but I fixed it by allowing self in the img-src directive in my policy as such:

img-src 'self' 'nonce-#{img_nonce}'

From my understanding, the nonce should have been enough, but anyway, that did the trick.

cblavier avatar Oct 08 '23 11:10 cblavier