feat: add ElementStyles.styleNonce for strict Content Security Policy#7653
Open
AKnassa wants to merge 1 commit into
Open
feat: add ElementStyles.styleNonce for strict Content Security Policy#7653AKnassa wants to merge 1 commit into
AKnassa wants to merge 1 commit into
Conversation
Injected <style> elements carried no nonce, so under a strict style-src (no 'unsafe-inline') the browser blocked them. Applications can now set `ElementStyles.styleNonce` (mirrored on FASTElement) and it is stamped onto every style element FAST creates. The nonce is read lazily at style-application time, because `css` templates build their ElementStyles at module evaluation, long before application code runs. Fixes microsoft#5444
|
Azure Pipelines: There may be pipelines that require an authorized user to comment /azp run to run. |
|
Azure Pipelines: There may be pipelines that require an authorized user to comment /azp run to run. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
Lets applications running a strict Content Security Policy tell FAST which nonce to stamp on the
<style>elements it creates, so the browser stops blocking them.Why
Under a strict
style-srcpolicy — no'unsafe-inline'— a browser blocks any<style>element that does not carry the page's nonce. FAST creates style elements without one, so components rendered through that path come out unstyled.The audience that runs strict CSP is exactly FAST's audience: enterprise and government. There was also no
## Securitysection in the fast-element README, which a FAST collaborator had explicitly asked for.What changed
ElementStyles.styleNonce— set it once at startup and every style element FAST creates carries the nonce.FASTElement.styleNoncefor convenience.## Securitysection to the fast-element README.The nonce is read lazily, at the moment styles are applied. This matters:
csstagged templates build theirElementStyleswhen the module is first evaluated, long before your application code runs. Capturing the nonce at construction time would mean it was always undefined — which is the exact bug an obvious implementation ships.There turned out to be two places that create style elements, not one. Both are fixed.
An honest answer to "what does this actually unblock?"
On every browser FAST supports, adopted stylesheets are available and are the default — and adopted stylesheets are not subject to
style-srcat all. So this changes nothing for the default path.It closes the gap on the style-element path, which is reachable via
withStrategy()/setDefaultStrategy(), and which is the automatic fallback where adopted stylesheets are absent.Whether
StyleElementStrategyshould also be exported publicly so applications can opt into it deliberately is a separate question, and is deliberately not bundled into this PR.Also noticed, not fixed here
element.innerHTML = styles[i]bypassesDOM.policy.createHTML, so it is a Trusted Types sink. Out of scope for this change, but worth its own issue.How to see it
Run the
fast-elementtest suite.styles/styles.pw.spec.tscovers it, including the case that matters most: setting the nonce after theElementStylesinstance already exists, and confirming it still lands.Fixes #5444