Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Content-Security-Policy 'nonce' not working for some elements #15911

Closed
jlfrances opened this issue Jun 26, 2024 · 2 comments · Fixed by #15949 · 4 remaining pull requests
Closed

Content-Security-Policy 'nonce' not working for some elements #15911

jlfrances opened this issue Jun 26, 2024 · 2 comments · Fixed by #15949 · 4 remaining pull requests
Assignees
Labels
Type: Bug Issue contains a bug related to a specific component. Something about the component is not working
Milestone

Comments

@jlfrances
Copy link

jlfrances commented Jun 26, 2024

Describe the bug

The bug happens for some elements that are not applying the CSP 'nonce' policy correctly.

In my case, the p-table element is failing since it seems when it's configured as responsive, using responsiveLayout="stack" (check PrimeNG docs here), there are inline styles applied dynamically (using the innerHTML attribute) that do not contain the 'nonce' attribute.

I have replicated the error in a Stackblitz.

Check the Steps to reproduce the behavior section for details.

Reproducer

https://stackblitz.com/edit/2xjzsk

Angular version

18

PrimeNG version

17.18.1

Build / Runtime

Angular CLI App

Language

TypeScript

Node version (for AoT issues node --version)

20

Browser(s)

No response

Steps to reproduce the behavior

I added to my project the configurations provided by Angular and PrimeNG in order to apply and comply the Content-Security-Policy NONCE feature as follows:

Angular configurations (see Security section):

Angular configurations

index.html

  1. The meta tag
    image

  2. The ngCspNonce attribute in the main component drawing

PrimeNG configurations (see Configution > CSP)

prime ng docs

table-basic-demo.ts

  1. The PrimeNG configuration
    prime ng configuration

Error(s)

When loading the p-table component, you could see errors saying that nonce is not implemented for some inline styles.

table errors

Note that there might be other errors not related to this issue.

Error 1: related to other component. Might be related to the same nonce issue.

Error 2 and 3: related to p-table issue.
In createResponsiveStyle() function is where the issue happens:
table error function

Related issue

#14847 p-pickList: Content-Security-Policy throws a inline-style error when [responsive]="true"

@jlfrances jlfrances added the Status: Needs Triage Issue will be reviewed by Core Team and a relevant label will be added as soon as possible label Jun 26, 2024
@SoyDiego
Copy link
Contributor

@cetincakiroglu This is the problem that I was talking with you.

@jlfrances
Copy link
Author

I was checking the table.ts component code, and it seems that nonce is not applied in the function I reported before (createResponsiveStyle()), as it's done in a function immediately above called createStyleElement().

Could this be the related to the issue?

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment