Strict CSP/Nonce for style-src directive

fkock1997 · October 24, 2024, 11:46am

Hi all,

I was already succesful implementing a nonce for the style-src tags as described in the docs Content Security Policy | Advanced Security Topics | Security | Flow | Vaadin Docs . I was unable to use the same mechanism to mitigate the necessity of setting ‘unsafe-inline’ (still errors are thrown that unsafe-inline is still needed). Is there a possibility to also use a nonce for the script-src directive and is there an official documentation? Or is it still needed like that to enable the bootstrap process?

Thank you in advance!

Tatu2 · October 25, 2024, 6:16am

Yes. It is good to note that Vaadin’s frontend bundle has unique hash-key per build generated during build time, which is injected to final code. This will protect bootstrap process.

Kurki · October 28, 2024, 8:37am

Hi,

just wanted to confirm if this thread was about style-src (mentioned in the topic) or script-src (mentioned in your message)? If you still have issues with the script-src CSP, could you please provide all error output from browser console so I could take a look what is going wrong.

fkock1997 · October 29, 2024, 6:51am

Hi @Kurki
sorry that was a typo. In this thread I’m refererring to the style-src directive. For script-src it is more or less working fine. I’ll adapt it in the message above.

Thank you!

EDIT: I think the initial post can’t be editied(?). So to clarify, I’m referring in this thread to style-src

fkock1997 · October 29, 2024, 6:54am

Does this mean that CSS injection is not really possible? But if it is using a hash, why is there the necessity of using unsafe-inline if there are hashes which could be used for the CSP? Can I acess these hashes to add them dynamically to the CSP Header?

Kurki · October 29, 2024, 8:12am

Ok, thanks for the clarification. I tested this and looks like in the Flow side there’s no style injection, it comes from the Components and theme. That said, would need some changes there. Should be doable but not sure of the effort needed, I’ll try to find out.

As for the hash, I think Tatu is referring to something else there.

Update: This PR will store the nonce value in global scope. This should allow components to use the nonce value (if available) for injected styles also, but that will require a separate change in components.

Kurki · October 29, 2024, 12:34pm

github.com/vaadin/web-components

Enable using nonce style-src based CSP with components

opened 12:33PM - 29 Oct 24 UTC

tepi

enhancement

### Describe your motivation Starting from 24.5 [Flow has made it possible to u…se strict CSP rules with a nonce](https://vaadin.com/docs/latest/flow/security/advanced-topics/strict-csp). It would be great if this was possible for styles as well using style-src with nonce. ### Describe the solution you'd like To enable this, web components should inject the nonce value to all style tags. The nonce value (if in use) is made available by Flow in `window.Vaadin.Flow.nonce` once [this PR](https://github.com/vaadin/flow/pull/20342) has been merged. ### Describe alternatives you've considered Could not find a workaround to do this from Flow side. ### Additional context _No response_