Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Content Security Policy Nonces Documentation doesn't mention where to import setNonce method from #1607

Open
2 tasks done
GauravJKshirsagar opened this issue Dec 9, 2024 · 5 comments
Open
2 tasks done

Content Security Policy Nonces Documentation doesn't mention where to import setNonce method from #1607

GauravJKshirsagar opened this issue Dec 9, 2024 · 5 comments
Labels
Needs validation

Comments

@GauravJKshirsagar
Copy link

Prerequisites

  • I have read the Contributing Guidelines.
  • I have not leaked any internal/restricted information like screenshots, videos, code snippets, links etc.

What happened?

The CSP Nonces Docu from IX does not give a example of how to use it in an Angular application. The documention mentions to read official stencil documention which provides a setNonce method. However the IX documention does not mention where to import this setNonce method from. I have created a stackblitz example here making edits to index.html and main.ts. But I am still getting console erros coming from IX related to CSP. Am I missing something here ?
@GauravJKshirsagar GauravJKshirsagar added the triage We discuss this topic in our internal weekly label Dec 9, 2024
@danielleroux
Copy link
Collaborator

Just tested it locally. Looks good on my side:

adding csp header:

    <meta
      http-equiv="Content-Security-Policy"
      content="script-src 'self' 'nonce-randomNonceGoesHere'; style-src 'self' 'nonce-randomNonceGoesHere'"
    />

setNonce

import { setNonce } from '@siemens/ix/loader';
import { setNonce as setNonceIcons } from '@siemens/ix-icons/loader';

const nonce = 'randomNonceGoesHere';

setNonce(nonce);
setNonceIcons(nonce);

Did you forgot to configure the angular side?

https://angular.dev/best-practices/security#content-security-policy

e.g

    <app-root ngCspNonce="randomNonceGoesHere"></app-root>

@danielleroux danielleroux added wait for response Wait for author response Needs validation and removed triage We discuss this topic in our internal weekly Needs validation labels Dec 9, 2024
@GauravJKshirsagar
Copy link
Author

Configuring on angular should not matter in this case, as I would anyways get errors from angular. But even after configuring the angular side (which fixes the angular errors), I still get console errors from IX.

@GauravJKshirsagar
Copy link
Author

For example this is a plain javascript example for IX,
stackblitz link
Even here we get 1 console error from IX.

@danielleroux
Copy link
Collaborator

Also here you have in mind that you need to expose a nonce to vite because css import is handled as inline style.
Also looks like there is an issue regarding parallel bootstrap components within stencil:

 <meta name="csp-nonce" content="abc" />
  • Resolve parallel bootstrap issue:
defineIconsCustomElements();
setTimeout(() => {
  defineCustomElements();
});

@danielleroux danielleroux added Needs validation and removed wait for response Wait for author response labels Dec 9, 2024
@danielleroux danielleroux mentioned this issue Dec 9, 2024
Merged
8 tasks
@GauravJKshirsagar
Copy link
Author

GauravJKshirsagar commented Dec 9, 2024
edited
Loading

Thanks for the workaround. And setTimeout thing works for javascript. Any idea how we could do it for Angular ( as we use IxModule directly) since it would be better to use setNonce rather than <meta name="csp-nonce" content="abc" />.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs validation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danielleroux @GauravJKshirsagar