Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Inline styles blocked by CSP style-src header #12580

Closed
9 of 10 tasks
TannerS opened this issue Nov 8, 2022 · 17 comments · Fixed by #12784
Closed
9 of 10 tasks

[Bug]: Inline styles blocked by CSP style-src header #12580

TannerS opened this issue Nov 8, 2022 · 17 comments · Fixed by #12784
Assignees
@alisonjoseph
Labels
role: dev 🤖 severity: 2 https://ibm.biz/carbon-severity type: bug 🐛
Milestone
2022 Q4

Comments

@TannerS
Copy link
Contributor

TannerS commented Nov 8, 2022
edited by alisonjoseph
Loading

Package

@carbon/react

Browser

Chrome, Firefox

Package version

^1.5.0

React version

v17

Description

Background

IBM console / cloud has started to implement the CSP header ( https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP ). Part of that is it blocks inline styles,

<style>
// css here
<style>

will be blocked unless it has a nonce value passed in by the consumer

where

<div style=....></div>

will be blocked no matter what

this is problematic since all of ibm cloud ios moving to CSP, some inline styles (second example) will be blocked by CSP and break the component to some limit.

Here is some that I personally searched for and found in the carbon repo (click to expand)

DatePicker

with csp
image

without
image

image

image

image

image

image

image

image

This one for some reason doesnt give me a warning but if you look here theres a style property that gets added (i changed it to height to show an example)

image

but csp can affect browsers differently so it should be something to look into

SkeletonText / Slider / ProgressBar

These also have inline styles that may be blocked by csp so worth a look

Other

image

Suggested Severity

Severity 3 = User can complete task, and/or has a workaround within the user experience of a given component.

Reproduction/example

N/A

Steps to reproduce

I am testing on my local microservice for ibm cloud with csp to verify

DatePicker

Code of Conduct

#12580 (comment)
@tay1orjones tay1orjones changed the title [Bug]: Inline styles blocked by CSP header [Bug]: Inline styles blocked by CSP style-src header Nov 9, 2022
@tay1orjones
Copy link
Member

tay1orjones commented Nov 9, 2022
edited
Loading

Thanks for opening this with so much detail!

To summarize the situation (let me know if I miss anything):

  • When using a Content Security Policy (CSP) header with style-src directive, inline styles are blocked
  • Allowing inline styles by providing a nonce is not an option because this method can only be applied to <script> or <style>, not style=""

On our end, one potential way to fix this would be to reduce the usage of inline styles within the components. Unfortunately, the examples you list above are almost all coming from third party flatpickr library. The likelyhood that we're able to completely fix this is low until we revisit datepicker altogether, #11967.

In the meantime, it seems a decent workaround to this problem altogether is using a hash to allow inline style attributes. It's safer than doing unsafe-inline and supported in all modern browsers. IIUC there's nothing that Carbon needs to do for this, you'd just need to add the CSP unsafe-hashes keyword to your style-src directive.

@TannerS
Copy link
Contributor Author

TannerS commented Nov 9, 2022

Thanks for opening this with so much detail!

To summarize the situation (let me know if I miss anything):

* When using a Content Security Policy (CSP) header with [`style-src` directive](https://content-security-policy.com/style-src/), inline styles are blocked

* Allowing inline styles by [providing a `nonce`](https://content-security-policy.com/nonce/) is not an option because this method can only be applied to `<script>` or `<style>`, not `style=""`

On our end, one potential way to fix this would be to reduce the usage of inline styles within the components. Unfortunately, the examples you list above are almost all coming from third party flatpickr library. The likelyhood that we're able to completely fix this is low until we revisit datepicker altogether, #11967.

In the meantime, it seems a decent workaround to this problem altogether is using a hash to allow inline style attributes. It's safer than doing unsafe-inline and supported in all modern browsers. IIUC there's nothing that Carbon needs to do for this, you'd just need to add the CSP unsafe-hashes keyword to your style-src directive.

Sup man, so

When using a Content Security Policy (CSP) header with style-src directive, inline styles are blocked

I think inline styles are blocked no matter what directives are defined, as long as csp is turned on

Allowing inline styles by providing a nonce is not an option because this method can only be applied to <script> or <style>, not style=""

correct, but nonce and hashing has some limits, (see below)

In the meantime, it seems a decent workaround to this problem altogether is using a hash to allow inline style attributes. It's safer than doing unsafe-inline and supported in all modern browsers. IIUC there's nothing that Carbon needs to do for this, you'd just need to add the CSP unsafe-hashes keyword to your style-src directive.

if i remember correctly, we cannot do any unsafe-* for cloud or else we will get pinged to fix it. To also add, if u were to go the hash route (which means any changes will break the hash) the consuming site also has to add it to there csp policy

for example, most of console is using nonce, the consumer has to be able to generate it per request and attach it to all there stuff and add it to the policy

for hashes, if i remember correctly, you guys generate it but we have to add it for every single page that needs it csp policy which for most is a code change and any changes (or if they are generated differently) will break it

i think that works for inline styles, i am a bit rusy on hashing but know some teams have tried it

@TannerS
Copy link
Contributor Author

TannerS commented Nov 10, 2022

@tay1orjones @tw15egan besides the above, found a related issue #12386

@tay1orjones
Copy link
Member

we cannot do any unsafe-*

In that case, the workaround you'll need to explore is how to apply the required (inline) styles yourself via a class instead.

I think the primary things that can be tackled here are:

PRs to help out would be much appreciated

@TannerS
Copy link
Contributor Author

TannerS commented Nov 10, 2022 via email
edited by alisonjoseph
Loading

@TannerS TannerS mentioned this issue Nov 10, 2022
Closed
2 tasks
@tay1orjones tay1orjones moved this to ⏱ Backlog in Design System Nov 11, 2022
@tay1orjones tay1orjones added severity: 2 https://ibm.biz/carbon-severity and removed severity: 3 https://ibm.biz/carbon-severity labels Nov 11, 2022
@tay1orjones
Copy link
Member

I've added a task list to the issue body containing the components using inline styling. It includes a task to determine if we can reduce/remove inline styling stemming from third party libraries like flatpickr (there may be others - downshift?)

@tay1orjones
Copy link
Member

This would improve the situation greatly, but there's been no movement -w3c/webappsec-csp#174

@TannerS
Copy link
Contributor Author

TannerS commented Nov 11, 2022 via email
edited by alisonjoseph
Loading

@tay1orjones tay1orjones added this to the 2022 Q4 milestone Nov 16, 2022
@alisonjoseph alisonjoseph moved this from ⏱ Backlog to 🏗 In Progress in Design System Nov 29, 2022
@tay1orjones
Copy link
Member

Another way we could set styles dynamically would be to use CSSOM, which should be compatible with CSP.

Instead of rendering an inline style like this

<div id="test" style="left: 300px;"/>

we could instead set it imperatively via

document.getElementById('test').style.left = '300px';

@TannerS
Copy link
Contributor Author

TannerS commented Dec 1, 2022 via email

@andy-blum
Copy link
Member

Hey there! checking in from the carbon-for-ibmdotcom side of things and CSSOM totally works.

Per MDN:

Inline style attributes are also blocked:

<div style="display:none">Foo</div>

As well as styles that are applied in JavaScript by setting the style attribute directly, or by setting cssText:

document.querySelector('div').setAttribute('style', 'display:none;');
document.querySelector('div').style.cssText = 'display:none;';

However, styles properties that are set directly on the element's style property will not be blocked, allowing users to safely manipulate styles via JavaScript:

document.querySelector('div').style.display = 'none';

As an example, here's a quick codepen

@alisonjoseph alisonjoseph mentioned this issue Dec 5, 2022
Merged
11 tasks
@tay1orjones tay1orjones mentioned this issue Dec 6, 2022
Closed
2 tasks
@alisonjoseph alisonjoseph moved this from 🏗 In Progress to 🚦 In Review in Design System Dec 7, 2022
@kodiakhq kodiakhq bot closed this as completed in #12784 Dec 13, 2022
Repository owner moved this from 🚦 In Review to ✅ Done in Design System Dec 13, 2022
@tay1orjones tay1orjones mentioned this issue Mar 3, 2023
Merged
@dabrad26
Copy link
Member

dabrad26 commented May 1, 2023
edited
Loading

Hi. Was wondering if the groups on this ticket had any luck with SVGs and their inline stuff for their products. We are running into issues with the pictograms. So wondering if your products found a work around. Happy to connect via slack as well ((at)david)

@tay1orjones
Copy link
Member

@andy-blum or @TannerS have either of you encountered and had to resolve issues with SVGs or the pictograms and CSP?

@andy-blum
Copy link
Member

Which styles specifically are in an inline attribue? Could you move them to their own specific attributes?

For example, instead of

<path 
  id="path14"
  style="fill:#354a8e;fill-opacity:1;fill-rule:nonzero;stroke:none"
  d="L 4424.6,237.121"
>

You could do

<path
  id="path14"
  fill="#354a8e"
  fill-opacity="1"
  fill-rule="nonzero"
  stroke="none"
  d="L 4424.6,237.121"
>

source

@dabrad26
Copy link
Member

dabrad26 commented May 3, 2023

It seems to be however the SVG are made (some seem good. Some have issues). I assume most came from designers and just converted to react components.

Updating all to be attributed instead of inline would be the solution. But a bit of a painful one for migrating all the SVGs. So was just wondering if any better options appeared.

@andy-blum
Copy link
Member

Not particularly. Inline styles are only allowable under a CSP if you know the exact markup beforehand and can pass a hash in with the CSP directive headers

@andy-blum
Copy link
Member

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#hash-algorithm-base64-value

@anamikaanu96 anamikaanu96 mentioned this issue Sep 26, 2024
Closed
2 tasks
@matthewgallo matthewgallo mentioned this issue Oct 8, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alisonjoseph alisonjoseph

Labels
role: dev 🤖 severity: 2 https://ibm.biz/carbon-severity type: bug 🐛
Projects
Design System
Archived in project
Milestone
2022 Q4
Development

Successfully merging a pull request may close this issue.

fix: remove inline styles
5 participants
@alisonjoseph @tay1orjones @dabrad26 @TannerS @andy-blum