Promotion of unsafe code

[xi]

Documentation Is:

• [ ] Missing
• [X] Needed
• [X] Confusing
• [ ] Not Sure?

Please Explain in Detail...

Content Security Polcies (CSPs) make the web a safer place. Authors can use unsafe policies, but those are clearly labelled so authors do not use them by accident. One such unsafe policy is unsafe-inline.

This loader heavily promotes unsafe-inline code: All available options for injectType except for linkTag are unsafe, including the default value (styleTag). This makes it a barrier for the adoption of tighter CSPs. As this loader is used on a lot of websites, this has a huge impact on the security of the web in general.

As discussed in #306 and #487, CSPs allow to use nonces for inline code. However, these are not a proper solution. The spec is quite clear about the many drawbacks of nonces:

Using a nonce to allow inline script or style is less secure than not using a nonce, as nonces override the restrictions in the directive in which they are present. An attacker who can gain access to the nonce can execute whatever script they like, whenever they like. That said, nonces provide a substantial improvement over 'unsafe-inline' when layering a content security policy on top of old code. When considering 'unsafe-inline', authors are encouraged to consider nonces (or hashes) instead.

Your Proposal for Changes

• Change the default inject type to linkTag
• Clearly explain the security issues of all other inject types
• Clearly explain the security issues of nonces

[alexander-akait]

We can improve out documentation, our official recommendation is use https://github.com/webpack-contrib/style-loader#recommend and use style-loader only for development purposes for perf reasons, anyway in some cases developers want to inline CSS due to some internal reasons and we can't forbid it to them, when you should trust your code when you inline it