Stencil: CSP Nonce Support for generated files

Created on 27 Feb 2019  路  3Comments  路  Source: ionic-team/stencil

Stencil version:

 @stencil/[email protected]

I'm submitting a:
[ ] bug report
[x] feature request
[ ] support request => Please do not submit support requests here, use one of these channels: https://stencil-worldwide.herokuapp.com/ or https://forum.ionicframework.com/

Current behavior:
Same as the closed issue - https://github.com/ionic-team/stencil/issues/496

When bundling we automatically create an inline style which violates the strict CSP usage

Whilst a workaround is to add each individual sha to the CSP policy it isn't ideal and not a nice dev experience.

In webpack this was achieved by adding a top-level nonce value which would then be added to all at bundle time. - https://github.com/styled-components/styled-components/issues/887

Expected behavior:
To be able to provide a nonce for styles (should be for all scripts, img etc...) that will be added to all build-generated scripts, styles etc... Allowing apps to be CSP ready out of the box.

Steps to reproduce:
Add CSP Policy for style-src 'self' and run app.

triage
Source
picture MrMcGibblets
👍16

Most helpful comment

Working in an organization this is a critical feature for us. It's quite a hazzle to add sha values for our styles.

Was there any internal discussion in the ionic team about this feature?

picture BorntraegerMarc on 16 Jul 2019
👍4

All 3 comments

Working in an organization this is a critical feature for us. It's quite a hazzle to add sha values for our styles.

Was there any internal discussion in the ionic team about this feature?

BorntraegerMarc picture BorntraegerMarc on 16 Jul 2019
👍4

Is there any update from the Stencil team in regard of this feature? We also have some concern that limit some of our teams to move ahead with the stencilJs web-components used by our design system.

FrancoisDF picture FrancoisDF on 7 Apr 2020
👍1

Hi, Any update on this one? I can't believe nothing have been done yet to handle CSP in stencil libraries. Angular and react have added support for CSP in 2015-2016!

I'm also working in a big organization and CSP is a basic security requirement for us. It's a blocker right now!

Any update would be appreciated! 馃憤 @adamdbradley ?

Thanks

ptrot001 picture ptrot001 on 28 Oct 2020
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ryanmunger picture ryanmunger  路  3Comments
glemiere picture glemiere  路  3Comments
mitchellsimoens picture mitchellsimoens  路  3Comments
romulocintra picture romulocintra  路  3Comments
noahlaux picture noahlaux  路  3Comments