Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for CSSStyleSheet instance in DomRenderer for CSP enabled applications without relying on nonce #1666

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add support for CSSStyleSheet instance in DomRenderer for CSP enabled applications without relying on nonce #1666

wants to merge 2 commits into from
+77 −12

Conversation

rohitkr
Copy link

@rohitkr rohitkr commented Nov 22, 2024
edited
Loading

Summary

This pull request introduces support for using a CSSStyleSheet instance provided by the user in the DomRenderer class. This enhancement is aimed at improving the flexibility and security of style injection in Content Security Policy (CSP) enabled applications. While maintaining support for nonce, it also provides an alternative for environments where the nonce value is not exposed.

Problem

In CSP enabled applications, inline styles are often restricted, making it challenging to manage stylesheets securely. The current implementation of JSS supports nonce for CSP, but it does not support the direct use of a CSSStyleSheet instance created and managed outside of JSS. This limitation hinders the ability to inject styles into a secure CSSStyleSheet, especially in environments where the nonce value is not exposed.

Solution

The proposed solution allows users to provide a CSSStyleSheet instance as the insertionPoint in the DomRenderer class. The changes include:

  • Updating the constructor of DomRenderer to accept a CSSStyleSheet instance.
  • Modifying the insertStyle method to handle CSSStyleSheet instances.
  • Maintaining support for nonce while providing an alternative for environments where the nonce value is not exposed.

Changes

  • Updated DomRenderer constructor to check if insertionPoint is an instance of CSSStyleSheet and use it directly if true.
  • Modified insertStyle method to insert rules into the provided CSSStyleSheet instance.
  • Maintained the setting of nonce attribute while providing an alternative for environments where the nonce value is not exposed.

Impact

This change enhances the security and flexibility of JSS by allowing styles to be injected into a CSSStyleSheet instance, which is particularly useful in CSP enabled environments. It ensures that JSS can be used in a wider range of applications with strict security policies, even when the nonce value is not exposed.

Testing

The changes have been tested in a CSP enabled environment to ensure that styles are correctly injected into the provided CSSStyleSheet instance without violating CSP rules.

Corresponding Issue(s):

What Would You Like to Add/Fix?

Todo

  • Add test(s) that verify the modified behavior
  • Add documentation if it changes public API

Expectations on Changes

Changelog

Add support for CSSStyleSheet instance in DomRenderer without relying…
6c359d6 
… solely on nonce

This commit adds support for using a `CSSStyleSheet` instance provided by the user in the `DomRenderer` class. This enhancement allows JSS to inject styles directly into a `CSSStyleSheet` instance, which is particularly useful in CSP enabled applications where inline styles are restricted and the nonce value is not exposed.

- Updated the constructor of `DomRenderer` to accept a `CSSStyleSheet` instance as the `insertionPoint`.
- Modified the `insertStyle` method to handle `CSSStyleSheet` instances.
- Maintained support for nonce while providing an alternative for environments where the nonce value is not exposed.

This change improves the flexibility and security of style injection in JSS.
@rohitkr rohitkr requested a review from kof as a code owner November 22, 2024 10:55
@rohitkr rohitkr changed the title Add support for CSSStyleSheet instance in DomRenderer Add support for CSSStyleSheet instance in DomRenderer for CSP enabled applications without relying solely on nonce without relying… Add support for CSSStyleSheet instance in DomRenderer for CSP enabled applications without relying on nonce Nov 22, 2024
Update documentation to include CSSStyleSheet instance usage for CSP …
492cdc7 
…support

This commit updates the documentation to include instructions for using a `CSSStyleSheet` instance with JSS in Content Security Policy (CSP) enabled applications. This addition complements the improvement introduced in this pull request by providing detailed guidance for secure style injection without relying solely on nonce attributes.

- Added a new section, **Using a `CSSStyleSheet` instance for secure style injection**, under **Configuring Content Security Policy**.
- Included an example demonstrating how to create and use a `CSSStyleSheet` instance with JSS.
- Documented the benefits and notes of using a `CSSStyleSheet` instance as an alternative to nonce-based CSP compliance.

To enhance user understanding and provide clear instructions on leveraging the newly introduced feature for improved flexibility and security in CSP-enabled environments.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kof kof Awaiting requested review from kof kof is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rohitkr