This pull request introduces support for using a CSSStyleSheet instance provided by the user in the DomRenderer class. This enhancement is aimed at improving the flexibility and security of style injection in Content Security Policy (CSP) enabled applications. While maintaining support for nonce, it also provides an alternative for environments where the nonce value is not exposed.
Problem
In CSP enabled applications, inline styles are often restricted, making it challenging to manage stylesheets securely. The current implementation of JSS supports nonce for CSP, but it does not support the direct use of a CSSStyleSheet instance created and managed outside of JSS. This limitation hinders the ability to inject styles into a secure CSSStyleSheet, especially in environments where the nonce value is not exposed.
Solution
The proposed solution allows users to provide a CSSStyleSheet instance as the insertionPoint in the DomRenderer class. The changes include:
Updating the constructor of DomRenderer to accept a CSSStyleSheet instance.
Modifying the insertStyle method to handle CSSStyleSheet instances.
Maintaining support for nonce while providing an alternative for environments where the nonce value is not exposed.
Changes
Updated DomRenderer constructor to check if insertionPoint is an instance of CSSStyleSheet and use it directly if true.
Modified insertStyle method to insert rules into the provided CSSStyleSheet instance.
Maintained the setting of nonce attribute while providing an alternative for environments where the nonce value is not exposed.
Impact
This change enhances the security and flexibility of JSS by allowing styles to be injected into a CSSStyleSheet instance, which is particularly useful in CSP enabled environments. It ensures that JSS can be used in a wider range of applications with strict security policies, even when the nonce value is not exposed.
Testing
The changes have been tested in a CSP enabled environment to ensure that styles are correctly injected into the provided CSSStyleSheet instance without violating CSP rules.
Summary
This pull request introduces support for using a
CSSStyleSheetinstance provided by the user in theDomRendererclass. This enhancement is aimed at improving the flexibility and security of style injection in Content Security Policy (CSP) enabled applications. While maintaining support for nonce, it also provides an alternative for environments where the nonce value is not exposed.Problem
In CSP enabled applications, inline styles are often restricted, making it challenging to manage stylesheets securely. The current implementation of JSS supports nonce for CSP, but it does not support the direct use of a
CSSStyleSheetinstance created and managed outside of JSS. This limitation hinders the ability to inject styles into a secureCSSStyleSheet, especially in environments where the nonce value is not exposed.Solution
The proposed solution allows users to provide a
CSSStyleSheetinstance as theinsertionPointin theDomRendererclass. The changes include:DomRendererto accept aCSSStyleSheetinstance.insertStylemethod to handleCSSStyleSheetinstances.Changes
DomRendererconstructor to check ifinsertionPointis an instance ofCSSStyleSheetand use it directly if true.insertStylemethod to insert rules into the providedCSSStyleSheetinstance.Impact
This change enhances the security and flexibility of JSS by allowing styles to be injected into a
CSSStyleSheetinstance, which is particularly useful in CSP enabled environments. It ensures that JSS can be used in a wider range of applications with strict security policies, even when the nonce value is not exposed.Testing
The changes have been tested in a CSP enabled environment to ensure that styles are correctly injected into the provided
CSSStyleSheetinstance without violating CSP rules.Corresponding Issue(s):
What Would You Like to Add/Fix?
Todo
Expectations on Changes
Changelog