Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added display:none style causing CSP errors #8618

Closed
1 task
osiegmar opened this issue Sep 21, 2023 · 3 comments · Fixed by #8624
Closed
1 task

Added display:none style causing CSP errors #8618

osiegmar opened this issue Sep 21, 2023 · 3 comments · Fixed by #8624
Labels
- P4: important Violate documented behavior or significantly impacts performance (priority)

Comments

@osiegmar
Copy link

osiegmar commented Sep 21, 2023
edited
Loading

Astro Info

Astro                    v3.1.1
Node                     v20.6.1
System                   macOS (arm64)
Package Manager          pnpm
Output                   static
Adapter                  none
Integrations             @astrojs/tailwind
                         @astrojs/solid-js

If this issue only occurs in one browser, which browser is a problem?

Tested with Chrome, Firefox and Safari. They're all affected but the error message in this ticket is taken from Chrome.

Describe the Bug

Since astro 3.1.1 (caused by #8580) Chrome refuses to apply those new style="display:none" attributes on scripts and styles, because they'd require 'unsafe-hashes' in the Content Security Policy:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE='". Either the 'unsafe-inline' keyword, a hash ('sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

Note that sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE= is the hash for style="display:none".

What's the expected result?

No errors in the console, no added style="display:none" to script-/style-elements.

Also see: https://content-security-policy.com/examples/allow-inline-style/

Link to Minimal Reproducible Example

https://stackblitz.com/edit/github-zcshce?file=src%2Fpages%2Findex.astro

Participation

  • I am willing to submit a pull request for this issue.
@github-actions github-actions bot added the needs triage Issue needs to be triaged label Sep 21, 2023
@matthewp
Copy link
Contributor

Oh that's weird, why do we do that? cc @bluwy aren't styles and scripts always display none anyways?

@natemoo-re
Copy link
Member

This was merged in #8580 which fixed #8377, but IMO the user's CSS overriding the default UA styles to override the visibility of scripts/styles is not our concern. They should fix their CSS.

@matthewp matthewp added - P4: important Violate documented behavior or significantly impacts performance (priority) and removed needs triage Issue needs to be triaged labels Sep 21, 2023
@matthewp matthewp mentioned this issue Sep 21, 2023
Merged
@bluwy
Copy link
Member

bluwy commented Sep 22, 2023

The issue is that Astro is injecting new nodes that causes the CSS that should work fine as written to not work. But I guess display: none wasn't the right solution either as they have to update their CSS to account for the injected node too. So ok with reverting then.

@bluwy bluwy mentioned this issue Feb 6, 2024
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
- P4: important Violate documented behavior or significantly impacts performance (priority)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Revert "fix: islands are not being rendered correctly (#8580)" withastro/astro
4 participants
@matthewp @osiegmar @natemoo-re @bluwy