Support style-src 'nonce' security policy

lit / lit-element

LEGACY REPO. This repository is for maintenance of the legacy LitElement library. The LitElement base class is now part of the Lit library, which is developed in the lit monorepo.

https://lit-element.polymer-project.org

BSD 3-Clause "New" or "Revised" License

4.49k stars 318 forks source link

Support style-src 'nonce' security policy #867

Closed redallen closed 2 years ago

redallen commented 4 years ago

Description

Inline styles are not applied and the following console error is thrown when using static get styles:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).

Live Demo

https://stackblitz.com/edit/lit-element-example-qpfhsi?file=index.html

Steps to Reproduce

Add <meta http-equiv="Content-Security-Policy" content="style-src 'nonce-2726c7f26c'" > to <head> in a browser that does not support constructable stylesheets such as Firefox. For more details on this security policy, see MDN.

Expected Results

You can pass a nonce to the css tagged template function so it creates <style nonce="2726c7f26c> when inserting the <style> tag into the document.

Actual Results

There's no API available to set a nonce using static get styles.

Browsers Affected

[ ] Chrome
[X] Firefox
[X] Edge
[X] Safari 11
[X] Safari 10
[X] IE 11

Versions

lit-element: v2.2.1
webcomponents: v2.4.0

justinfagnani commented 4 years ago

I think we could handle this with a LitElement.styleNonce static that we apply to all injected <style> tags.

mdownes commented 3 years ago

Has there been any update on this? Or has the issue been fixed in the new lit repo? It's really stopping me adopt CSP while using lit-element

samaniehsan commented 3 years ago

has anybody found a reliable solution to this?

We have the same exact issues with lit elements.

We have an APP that consumes many lit elements as npm packages.

Those lit elements ship with their own incremental styles (in the shadow dom). (using style properties).

The app attaches nonce using a header and includes the nonce on all embedded styles and scripts.

however when lit components tries to add it's own style element the system blows due to unsafe style. as noted in this issue.

sorvell commented 2 years ago

Fixed via https://github.com/lit/lit/pull/2134

andy-blum commented 1 year ago

@justinfagnani - Is there any chance the PR linked above could get back-ported to this repo? Our team is still running on lit-element@^2.5.1 and we're hitting this issue.

justinfagnani commented 1 year ago

@andy-blum yeah, I think we can do that.

Is there any reason you haven't upgraded to LitElement 3.x yet? Things are mostly compatible, so I'm curious what incompatibilities you've run into.

andy-blum commented 1 year ago

I'm not 100% sure why we haven't upgraded, it may be in progress and it's just a long, deliberate process to ensure backwards compatibility. A minor/patch upgrade would likely be much quicker.