Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP compatibility #506

Closed
cjcenizal opened this issue Mar 13, 2018 · 12 comments
Closed

CSP compatibility #506

cjcenizal opened this issue Mar 13, 2018 · 12 comments
Labels
developer experience

Comments

@cjcenizal
Copy link
Contributor

AFAICT, we just need to remove inline style attributes. @epixa @bevacqua Is there anything else we need to do to make EUI CSP-compatible?
@bevacqua
Copy link
Contributor

bevacqua commented Mar 13, 2018
edited
Loading

Well, that boils down to the rules set by the consumers of EUI. No inline style, no eval is about the baseline. Note that no inline style ends up being pretty hard to enforce, for example: the code editor in EUI has no built-in support for CSP unless the consumer enables 'unsafe-inline', which as the name may have you guess, is not ideal. Nevertheless, we have that rule turned on for now in Cloud. Though I'm hoping that can change at some point, not really holding my breath.

  • When it comes to images, for instance, Cloud only accepts data: urls or 'self' (same-origin)
  • We accept no external fonts atm, but EUI doesn't have any.
  • Requests: for the most part, we don't allow external requests, so any and all requests should be configurable by the consumer, same for script source

@epixa
Copy link

epixa commented Mar 13, 2018

I think EUI needs to be as conservative in its CSP tolerances as our most restrictive CSP in Elastic products, which right now is Cloud and will soon be Kibana.

@cjcenizal I recommend figuring out the most restrictive CSP possible on EUI today by adding the CSP header to the EUI docs. The current target in Kibana is elastic/kibana#2873 (comment), though we're a ways off from that. However, our goal is to disable inline scripts as soon as humanly possible, so that's probably the most critical thing to sort out in EUI.

@cjcenizal
Copy link
Contributor Author

Thanks you two! Very helpful.

@snide
Copy link
Contributor

snide commented Mar 13, 2018
edited
Loading

I don't know much about CSP, but I know there's a couple places where we need to set styles through JS and I can't think of a way to do it through pure css classes alone.

  • Tooltips and similar "where am i in the window" components require it for positioning
  • Accordions, mobile nav and others have height/width calculations that apply matching styles
  • Applying a background image onto something is pretty common.

Is there some place you all recommend I can read up on some of these rules. Meeting 100% no-style tags will be pretty hard to do with our feature-set.

I was curious how this kind of stuff would effect CSS-IN-JS libs like styled components. Looks like they set webpack_nonce to pass a crypto along with the style tags? Is something like that an option for when we absolutely need it? Again, I have very little knowledge of this stuff, so just asking questions.

styled-components/styled-components#887

@bevacqua
Copy link
Contributor

bevacqua commented Mar 13, 2018 via email

@alexbrasetvik
Copy link

sha256-[digest] would be preferable to nonce, if possible :)

@chandlerprall chandlerprall mentioned this issue Mar 11, 2019
Closed
@cchaos cchaos mentioned this issue Sep 19, 2020
Closed
24 tasks
@snide snide mentioned this issue Mar 9, 2021
Merged
41 tasks
@github-actions
Copy link

👋 Hey there. This issue hasn't had any activity for 180 days. We'll automatically close it if that trend continues for another week. If you feel this issue is still valid and needs attention please let us know with a comment.

@chandlerprall
Copy link
Contributor

We still want to track this.

@legrego legrego mentioned this issue Apr 22, 2021
Closed
@github-actions
Copy link

github-actions bot commented Sep 8, 2021

👋 Hey there. This issue hasn't had any activity for 180 days. We'll automatically close it if that trend continues for another week. If you feel this issue is still valid and needs attention please let us know with a comment.

@github-actions
Copy link

❌ We're automatically closing this issue due to lack of activity. Please comment if you feel this was done in error.

@thompsongl thompsongl reopened this Sep 15, 2021
@github-actions
Copy link

👋 Hey there. This issue hasn't had any activity for 180 days. We'll automatically close it if that trend continues for another week. If you feel this issue is still valid and needs attention please let us know with a comment.

@cee-chen
Copy link
Member

cee-chen commented Apr 3, 2023

Hi all - I'm closing this issue due to age and Kibana apparently no longer pursuing the removal of inline styles (elastic/kibana#135469 (comment)).

Our reasoning is much the same as the above linked comment - inline styles are absolutely necessary for things like virtualization and dynamic positioning, as well as wildcard consumer content like dynamic colors. Using Emotion/CSS-in-JS is not a valid replacement as Emotion generates a new stylesheet/class name for each permutation of each CSS value, which leads to potentially infinite styles/class names generated on the page and has massive performance implications.

If you disagree, feel free to re-open this issue or leave an additional comment.

@cee-chen cee-chen closed this as not planned Won't fix, can't repro, duplicate, stale Apr 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
developer experience
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@alexbrasetvik @epixa @chandlerprall @snide @cee-chen @bevacqua @cjcenizal @thompsongl