CSP Nonce - Githubissues

KingSora / OverlayScrollbars

A javascript scrollbar plugin that hides the native scrollbars, provides custom styleable overlay scrollbars, and preserves the native functionality and feel.

https://kingsora.github.io/OverlayScrollbars

MIT License

3.9k stars 215 forks source link

CSP Nonce #646

Closed g-stefan closed 5 months ago

g-stefan commented 5 months ago

This modification allow usage when CSP Nonce is set (same nonce on script and style). The Content-Security-Policy headers are as follow:

script-src 'self' 'nonce-[foo-bar]' 'strict-dynamic';
style-src 'self' 'nonce-[foo-bar]';

The code uses the nonce from first document loaded script (can be the OverlayScrollbars source or other), as allowed by javascript CSP specification Nonce I now can use OverlayScrollbars with more restrictive CSP. No need for unsafe-inline.

Without patch:

With patch:

Thank you!

KingSora commented 5 months ago

Good day @g-stefan :)

I havent really considered CSP before..

To me this implementation looks a little bit hacky, wouldn't something like this be better?

// asssign the nonce before you interact with the library
OverlayScrollbars.nonce('noncevalue');

// after nonce is assigned you can do everything
const osInstance = OverlayScrollbars(document.body, {});

g-stefan commented 5 months ago

Yes, is better. The nonce must be applied to the style node fragment. I don't know the internals. How the style node is generated/extracted. So is a hacky way for me at the moment. Thank you!

KingSora commented 5 months ago

@g-stefan I've published v2.9.0 which includes this change :)

g-stefan commented 5 months ago

Tested. Works flawlessly! Thank you!