Comments (9)
This is a good question. Aurelia itself makes no use of eval
or new Function()
at all in its source code. That's very intentional in order to support exactly what you are talking about. However, I'm not 100% sure about the polyfills we are using or about system.js. I believe there is a CSP compliant build of system.js. So, perhaps if you use that in combination with Aurelia it will work.
In any case, the problem wouldn't be directly in our code, but might exist in some of the other libraries. I would very much love for you to "give it a try" and report back to us. If we need to fix any issues we will certainly do that. We may also be able to help advocate for fixes in other libraries if the problems live there.
Please let us know!
from framework.
Willdo. I'll see what I can put together tonight :) In terms of Chrome Packaged Apps there's only need to support Chrome so my guess is that certain polyfills will not be needed. I'll do a quick test and see what comes up.
from framework.
Had to do 2 changes to get CSP working.
- Change
<script>
System.import('aurelia-bootstrapper');
</script>
to
<script src="bootstrap.js"></script>
otherwise, unsafe-inline is required. No big deal.
- system.js requires unsafe-eval. Seems pretty essential to the loader.
After that, the following CSP header works fine for us:
Content-Security-Policy: default-src 'self' ws: wss; script-src 'self' 'unsafe-eval'; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data:; frame-src; sandbox allow-forms allow-scripts allow-same-origin;
from framework.
Obviously the exact modules that get bundled, and the functionality used may have varying requirements, but I found that if I swapped to the CSP version of system, and (as above) moved the import to a separate js file, I could get Aurelia up and running with a clean CSP configuration:
index.html
<script src="scripts/jspm_packages/system-csp-production.js"></script>
<script src="scripts/jspm_config.js"></script>
<script src="scripts/app-bootstrap.js"></script>
HTTP header
Content-Security-Policy: default-src 'self'
from framework.
For the current aurelia-cli build that uses require instead of jspm, the following CSP seems to work fine out of the box (though may need to be varied depending on the modules you call and the external resources you access):
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
from framework.
Not sure where this appears in the framework, but is one area which triggers a default style-src
policy violation.
injectStyles
...
destination.appendChild(node);
For Google Tag Manager based analytics and fonts this seems to work:
default-src 'self'; connect-src 'self' ws:; script-src 'self' www.googletagmanager.com www.google-analytics.com 'sha256-Abb4VEVedds9NWypVyA7pYkisbm21wnlrkPGVR64oHE=' 'sha256-GKWAMtgBzlCzmucztJIeDl/kD0MKNqAT5HDcFIff2+A='; img-src 'self' www.google-analytics.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.gstatic.com;
Hashes are for the tag manager block and browsersync. With ws:
also for browsersync.
Then for the above injectStyles
issue:
style-src ... 'unsafe-inline'
from framework.
It is coming from the "show" behavior in templating-resources. We are open to making changes, just submit a PR and we can review.
from framework.
It is coming from the "show" behavior in templating-resources. We are open to making changes, just submit a PR and we can review.
Am I right to assume this is still an issue?
from framework.
@raugustinus this is still an issue. I think to properly support this, we need to make the CSS class for hidden style configurable
from framework.
Related Issues (20)
- Many aurelia libraries are broken in iOS 16 HOT 47
- example link for codesandbox in README.md HOT 1
- Can somebody update dependencies, please? HOT 3
- How to bind repeat.for on the async array variable? HOT 5
- aurelia.use.developmentLogging(environment.debug ? 'debug' : 'warn'); is broken? HOT 5
- Building all public files to www folder
- set object that has observed properties breaks the observing system HOT 4
- Issue with compose element and composition
- Combination of `@dynamicOptions` and `primaryProperty` HOT 5
- Publish Aurelia project with visual studio 2017. HOT 1
- Allow better typing for module configuration HOT 4
- Upgrade gulp to v4.
- Staging a component for testing
- UI is not re-rendered when Set is used. HOT 5
- Binding Engine seems to strip CR from text HOT 1
- Component inheritance with bindings on the base doesn't work as expected
- Content of repeat for on tr tag rendered outside of tag HOT 1
- How to use aurelia in qiankun HOT 2
- Content editable div inside a parent div that has a mousedown event on it cannot be edited in Aurelia HOT 1
- npm audit warning for aurelia-framework - XSS vulnerability in default HTML sanitizer implementation HOT 15
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from framework.