Add 'unsafe-inline' to style-src in CSP to enable server-rendered inline React styles #2436
Conversation
|
Not 100% happy to just copypasta the CSP rules between shell & JS files, but couldn't think of an easy way to DRY that out. |
…ine React styles - Also inject content-security-policy header in the local dev server - See also: facebook/react#5878 (comment) Issue mozilla#2434. Fixes mozilla#2432.
lmorchard
force-pushed
the
csp-on-local-dev
branch
from
efad713 to
c90c38a
Compare
|
Let's go ahead and merge this now, but try to move the inline styles out into css files and remove unsafe-inline styles before the sprint is over. |
|
Doesn't adding In an attempt to help decrease the maximum severity of the problems caused by injections, keeping the CSS-related CSP settings safe is pretty important. |
|
CC @april for the above comment. |
|
There is a particular pattern that can cause that issue. Are you setting |
|
@april If one sets the |
|
Yes, that is exactly the pattern that can be dangerous. I would recommend not doing that, especially for sensitive fields like credit cards or passwords. For those, I recommend letting them be uncontrolled. Note that you can still do things with them (sorry for not responding for a while, I was out of town) |
|
FWIW, the only form submission we have on the site is for an email newsletter signup. Not entirely harmless, but also not a credit card or password field |
|
In that case, you can probably just do your normal controlled inputs and not worry about it too much. :) |
Also inject content-security-policy header in the local dev server
See also: React inline styles blocked by CSP policy for 'style-src' facebook/react#5878 (comment)
Issue #2434