remove inline on** (onclick etc) handlers because of CSP violaions in addons

vitmalina / w2ui

UI widgets for modern apps. Data table, forms, toolbars, sidebar, tabs, tooltips, popups. All under 120kb (gzipped).

http://w2ui.com

MIT License

2.65k stars 730 forks source link

remove inline on** (onclick etc) handlers because of CSP violaions in addons #2147

Open opto opened 2 years ago

opto commented 2 years ago

Short description tried to use w2ui inside Mozilla addons (e.g. Thunderbird)

What is current behavior blocked due to CSP violations. Problem are the implicit onclick handlers etc.

Tried in an example position to replace

            var html =
                '<div class="w2ui-scroll-wrapper" onmousedown="var el=w2ui[\''+ this.name +'\']; if (el) el.resize();">'+
                '    <div class="w2ui-tabs-line"></div>'+

           var html =
            '<div id = "render"'+this.renderInd   + 'class="w2ui-scroll-wrapper" >'+
            '    <div class="w2ui-tabs-line"></div>'+

//!!!!!
                $("#render"+this.renderInd).on("mousedown", () => { var el=w2ui["'"+ this.name +"'"]; if (el) el.resize(); });

What is desired behavior

The above removes the CSP violations, but it is too many for me to replace (search for onclick, onmouse etc. in w2ui-1.5.js

any help/considerationof this is appreciated.

The current code works in FF, but not in addons, they seem to have different CSP requirements.

vitmalina commented 2 years ago

In version 2.0 there are plans to support strictest CSP. 1.5 will never be. However, you can set custom CSP settings for a addon, which works just fine.

opto commented 2 years ago

good to hear, many thanks. Do you have an idea how to formulat the CSP manifest entry to allow v 1.5? I tried several versions from MDN and stackoverflow and was not yet successful.

vitmalina commented 2 years ago

Add this to manifest.json

{
...
"content_security_policy": "default-src 'self' 'unsafe-eval' ; style-src 'unsafe-inline'; script-src-attr 'unsafe-inline'; img-src 'self' data:; font-src 'self' data: 'unsafe-inline';"
}

opto commented 2 years ago

many thanks, but: unfortunately, Mozilla does not allow unsafe-inline for addons (FF itself is fine): see https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy

vitmalina commented 2 years ago

I see that Chrome ext. v3 also has same problems. It works for manifest v2, but not v3. unsafe-inline is ignored for script-src

opto commented 2 years ago

yes, and it is not only in your code. In your code, I successfully updated some parts, but then I came to a point where code inside jquery caused csp errors. that is something where I do not have enough knowledge to change.

vitmalina commented 2 years ago

See https://github.com/vitmalina/bela - it is a chrome extension that uses w2ui. Works there.

vitmalina commented 2 years ago

With latest push all bug grid support following CSP:

 <meta http-equiv="Content-Security-Policy" 
          content="default-src 'self' data:; style-src 'self' 'unsafe-inline';">

opto commented 2 years ago

I tried to load that into firefox, but it does not work, throwing CSP errors (which probably was to be expected)

opto commented 2 years ago

and concerning the other post: unsafe-inline is not allowed (Thunderbird team arguing that is because TB addons have access to emails - very private information, so more security is needed)

vitmalina commented 2 years ago

Styles unsafe-inline will need to stay.