Skip to content

Add support for CSSStyleSheet instance in DomRenderer for CSP enabled applications without relying on nonce#1666

Open
rohitkr wants to merge 2 commits intocssinjs:masterfrom
rohitkr:feature/csp-fix-insertion-point
Open

Add support for CSSStyleSheet instance in DomRenderer for CSP enabled applications without relying on nonce#1666
rohitkr wants to merge 2 commits intocssinjs:masterfrom
rohitkr:feature/csp-fix-insertion-point

Conversation

@rohitkr
Copy link

@rohitkr rohitkr commented Nov 22, 2024
edited
Loading

Summary

This pull request introduces support for using a CSSStyleSheet instance provided by the user in the DomRenderer class. This enhancement is aimed at improving the flexibility and security of style injection in Content Security Policy (CSP) enabled applications. While maintaining support for nonce, it also provides an alternative for environments where the nonce value is not exposed.

Problem

In CSP enabled applications, inline styles are often restricted, making it challenging to manage stylesheets securely. The current implementation of JSS supports nonce for CSP, but it does not support the direct use of a CSSStyleSheet instance created and managed outside of JSS. This limitation hinders the ability to inject styles into a secure CSSStyleSheet, especially in environments where the nonce value is not exposed.

Solution

The proposed solution allows users to provide a CSSStyleSheet instance as the insertionPoint in the DomRenderer class. The changes include:

  • Updating the constructor of DomRenderer to accept a CSSStyleSheet instance.
  • Modifying the insertStyle method to handle CSSStyleSheet instances.
  • Maintaining support for nonce while providing an alternative for environments where the nonce value is not exposed.

Changes

  • Updated DomRenderer constructor to check if insertionPoint is an instance of CSSStyleSheet and use it directly if true.
  • Modified insertStyle method to insert rules into the provided CSSStyleSheet instance.
  • Maintained the setting of nonce attribute while providing an alternative for environments where the nonce value is not exposed.

Impact

This change enhances the security and flexibility of JSS by allowing styles to be injected into a CSSStyleSheet instance, which is particularly useful in CSP enabled environments. It ensures that JSS can be used in a wider range of applications with strict security policies, even when the nonce value is not exposed.

Testing

The changes have been tested in a CSP enabled environment to ensure that styles are correctly injected into the provided CSSStyleSheet instance without violating CSP rules.

Corresponding Issue(s):

What Would You Like to Add/Fix?

Todo

  • Add test(s) that verify the modified behavior
  • Add documentation if it changes public API

Expectations on Changes

Changelog

@rohit-wfx
Add support for CSSStyleSheet instance in DomRenderer without relying…
6c359d6 
… solely on nonce

This commit adds support for using a `CSSStyleSheet` instance provided by the user in the `DomRenderer` class. This enhancement allows JSS to inject styles directly into a `CSSStyleSheet` instance, which is particularly useful in CSP enabled applications where inline styles are restricted and the nonce value is not exposed.

- Updated the constructor of `DomRenderer` to accept a `CSSStyleSheet` instance as the `insertionPoint`.
- Modified the `insertStyle` method to handle `CSSStyleSheet` instances.
- Maintained support for nonce while providing an alternative for environments where the nonce value is not exposed.

This change improves the flexibility and security of style injection in JSS.
@rohitkr rohitkr requested a review from kof as a code owner November 22, 2024 10:55
@rohitkr rohitkr changed the title Add support for CSSStyleSheet instance in DomRenderer Add support for CSSStyleSheet instance in DomRenderer for CSP enabled applications without relying solely on nonce without relying… Add support for CSSStyleSheet instance in DomRenderer for CSP enabled applications without relying on nonce Nov 22, 2024
@rohit-wfx
Update documentation to include CSSStyleSheet instance usage for CSP …
492cdc7 
…support

This commit updates the documentation to include instructions for using a `CSSStyleSheet` instance with JSS in Content Security Policy (CSP) enabled applications. This addition complements the improvement introduced in this pull request by providing detailed guidance for secure style injection without relying solely on nonce attributes.

- Added a new section, **Using a `CSSStyleSheet` instance for secure style injection**, under **Configuring Content Security Policy**.
- Included an example demonstrating how to create and use a `CSSStyleSheet` instance with JSS.
- Documented the benefits and notes of using a `CSSStyleSheet` instance as an alternative to nonce-based CSP compliance.

To enhance user understanding and provide clear instructions on leveraging the newly introduced feature for improved flexibility and security in CSP-enabled environments.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kof kof Awaiting requested review from kof kof is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rohitkr @rohit-wfx