Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue setting strict CSP in production #16749

Open
7 tasks done
TylerWanta opened this issue May 22, 2024 · 9 comments
Open
7 tasks done

Issue setting strict CSP in production #16749

TylerWanta opened this issue May 22, 2024 · 9 comments
Labels
enhancement New feature or request has workaround

Comments

@TylerWanta
Copy link

Describe the bug

I am having the same issue as here, but the solution isn't working for me.

I'm using Electron + Vite and am trying to set a strict CSP (one with no unsafe-inline). Since I am using Electron and am not fetching my resources from a server, the nonce specified for cspNonce is generated right above the config. I then just use a plugin to inject the nonce into the index.html. This works fine in dev when the entire process is ran every time I run the app, but in production the process is only ran when packaging the app and never again. This is problematic as the nonce will no longer be regenerated, defeating the whole purpose. It would be nice if a strict CSP was supported without having to use a nonce.

// electron.vite.config.ts
let nonce = crypto.randomBytes(16).toString('base64');

const transformHtmlPlugin = data => ({
	name: 'transform-html',
	transformIndexHtml: {
		transform(html)
		{
			return html.replace(
				/<%=\s*(\w+)\s*%>/gi,
				(match, p1) => data[p1] || ''
			);
		}
	}
});

export default defineConfig({
	renderer: {
		plugins: [
			transformHtmlPlugin({ nonce: nonce })
		],
		html: {
			cspNonce: nonce
		},
	},
})

// index.html
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'nonce-<%= nonce %>'" />

Reproduction

https://github.com/TylerWanta/vite-csp-issue

Steps to reproduce

This will be an issue with any vite build with a strict CSP and no cspNonce specified.

Clone the repo provided
cd vite-csp-issue
npm run dev
You can see the issue in the console but clicking CTRL + Shift + i

System Info

System:
    OS: Windows 11 10.0.22631
    CPU: (32) x64 13th Gen Intel(R) Core(TM) i9-13900KF
    Memory: 18.28 GB / 31.85 GB
  Binaries:
    Node: 21.5.0 - C:\Program Files\nodejs\node.EXE
    npm: 10.2.4 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Edge: Chromium (123.0.2420.97)
    Internet Explorer: 11.0.22621.1
  npmPackages:
    @vitejs/plugin-vue: ^4.3.1 => 4.6.2
    vite: ^5.2.11 => 5.2.11

Used Package Manager

npm

Logs

No response

Validations
@btea

This comment was marked as off-topic.

Sign in to view
@TylerWanta
Copy link
Author

TylerWanta commented May 23, 2024
edited
Loading

@btea I'm not entirely sure I follow and how adding it to the original meta tag would differ from how I am doing it now. Either way, and correct me if I'm wrong, I think the main issue will still remain; after packaging the app the nonce will no longer be regenerated.

@btea

This comment was marked as off-topic.

Sign in to view
@TylerWanta
Copy link
Author

@btea My issue isn't getting the nonce to work, I already have that working. My issue is that using a nonce seems to be the only supported way of using a strict Content Security Policy with Vite. This won't work for me because after I package my app with electron, the nonce won't be regenerated anymore. Having a static nonce in my index.html defeats the whole purpose of a nonce.

@btea
Copy link
Collaborator

btea commented May 23, 2024

Oh, sorry, it seems that I misunderstand what you mean. 🤦‍♂️

@TylerWanta
Copy link
Author

No worries! I appreciate you trying to help

@RockiRider
Copy link

@TylerWanta Hey! I have been working on a vite plugin to solve this specific problem. The issue is the nonce strategy doesn't support SPA's - what we need is hashes. Here is the plugin - its still pre 1.0 but I have written up some extensive documentation for the plugin as well as this specific problem.

Try it out and let me know what you think! All feedback is welcome

@mateyocedric
Copy link

Hello @RockiRider does it support nonce? I do have the same problem with @TylerWanta I need to generate nonce for every reload of an app because it only happens when build

@RockiRider
Copy link

RockiRider commented Aug 5, 2024
edited
Loading

Hello @RockiRider does it support nonce? I do have the same problem with @TylerWanta I need to generate nonce for every reload of an app because it only happens when build

Nope it doesn't support nonce's purely because Single Page Applications typically don't run on a server.

If you want nonce support you need a server. I have written up a small guide to help developers out that are either:

  • Running a server
  • Using a meta framework (Multi Page Application's)
  • Desire nonce functionality

If you are using an SPA though you don't need nonce's, hashing at build time is a pretty decent alternative, just harder to implement. Here is a guide for Single Page Applications

I know Vite does have an SSR support, so maybe this is something I build into the plugin later, but not for now!

@sapphi-red sapphi-red added enhancement New feature or request has workaround and removed pending triage labels Aug 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request has workaround
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@btea @RockiRider @TylerWanta @sapphi-red @mateyocedric