Closed redallen closed 2 years ago
I think we could handle this with a LitElement.styleNonce
static that we apply to all injected <style>
tags.
Has there been any update on this? Or has the issue been fixed in the new lit repo? It's really stopping me adopt CSP while using lit-element
has anybody found a reliable solution to this?
We have the same exact issues with lit elements.
We have an APP that consumes many lit elements as npm packages.
Those lit elements ship with their own incremental styles (in the shadow dom). (using style properties).
The app attaches nonce using a header and includes the nonce on all embedded styles and scripts.
however when lit components tries to add it's own style element the system blows due to unsafe style. as noted in this issue.
Fixed via https://github.com/lit/lit/pull/2134
@justinfagnani - Is there any chance the PR linked above could get back-ported to this repo? Our team is still running on lit-element@^2.5.1
and we're hitting this issue.
@andy-blum yeah, I think we can do that.
Is there any reason you haven't upgraded to LitElement 3.x yet? Things are mostly compatible, so I'm curious what incompatibilities you've run into.
I'm not 100% sure why we haven't upgraded, it may be in progress and it's just a long, deliberate process to ensure backwards compatibility. A minor/patch upgrade would likely be much quicker.
Description
Inline styles are not applied and the following console error is thrown when using
static get styles
:Live Demo
https://stackblitz.com/edit/lit-element-example-qpfhsi?file=index.html
Steps to Reproduce
<meta http-equiv="Content-Security-Policy" content="style-src 'nonce-2726c7f26c'" >
to<head>
in a browser that does not support constructable stylesheets such as Firefox. For more details on this security policy, see MDN.Expected Results
You can pass a nonce to the
css
tagged template function so it creates<style nonce="2726c7f26c>
when inserting the<style>
tag into the document.Actual Results
There's no API available to set a nonce using
static get styles
.Browsers Affected
Versions