search

sandstorm / Sandstorm.CookiePunch

Neos Package for content-first consent management built on top of klaro.js.
MIT License
5 stars 3 forks source link

CSP registers style-src conflict with cookiepunch.js #26

Closed adrian-cerdeira closed 4 months ago

adrian-cerdeira commented 7 months ago

I have a problem to use CSP-Header with this package. It gives me this error:

Bildschirm­foto 2024-03-21 um 11 39 51

In the code the error is that it doesnt have a nonce value the dynamically added stylesheet. Can we maybe define this in the settings or other possibility?

  function s(e) {
                    var t = document.createElement("style")
                      , o = e.attributes || {};
                    if (void 0 === o.nonce) {
                        var i = n.nc;
                        i && (o.nonce = i)
                    }
                    if (Object.keys(o).forEach((function(e) {
                        t.setAttribute(e, o[e])
                    }
                    )),
                    "function" == typeof e.insert)
                        e.insert(t);
                    else {
                        var a = r(e.insert || "head");
                        if (!a)
                            throw new Error("Couldn't find a style target. This probably means that the value for the 'insert' parameter is invalid.");
                        a.appendChild(t)
                    }
                    return t
                }
t-heuser commented 4 months ago

@adrian-cerdeira Hey, I also tried to use CSP-Headers in Neos in combination with this package.

I started using https://github.com/LarsNieuwenhuizen/Nieuwenhuizen.ContentSecurityPolicy where the last version is over 6 years old now, so it isn't working anymore. I'm trying to repair the package at the moment and later there will be a working version of the package.

I was able to add nonce-Values to Tags where needed but the value was removed. This is an ongoing issue in Klaro, which is used by CookiePunch. There is an open issue and PR since a long time now in Klaro: https://github.com/klaro-org/klaro-js/issues/441

So hopefully the issue in Klaro will be resolved soon and I'll be able to publish the fixes for the Nieuwenhuizen.ContentSecurityPolicy package and then we can easily use CSP-Headers in Neos.

But in this package here there is no issue with CSP and nonces directly so I think that the issue can be closed @fheinze

adrian-cerdeira commented 4 months ago

@t-heuser Thanks for the information, keep me updated 😃