Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question]: Compatibility Issues with new strict CSP Rules and SBB Angular Component Library #2408

Open
3 tasks done
aram-yesildeniz opened this issue Oct 29, 2024 · 5 comments
Open
3 tasks done

[Question]: Compatibility Issues with new strict CSP Rules and SBB Angular Component Library #2408

aram-yesildeniz opened this issue Oct 29, 2024 · 5 comments
Assignees
@swiss-chris @mhaertwig

Comments

@aram-yesildeniz
Copy link

Preflight Checklist

Your Question

Is the SBB Angular Component Library compatible with the new strict Content Security Policy (CSP) rules added in the ESTA Blueprint?

Give us a summary about your question

We want to integrate the new CSP rules from the ESTA Blueprint: https://code.sbb.ch/projects/KD_ESTA_BLUEPRINTS/repos/esta-cloud-angular/commits/f099676d56ab8ff7456119f13833ec6d6bef410e#docker%2Fnginx-location.conf

Due to restrictions on inline styles, we’ve been unable to resolve the errors and created a minimal example to identify which components are causing the issue.
It appears that some SBB Angular components are involved. For instance, even with an example that only renders an SBB Checkbox, we still encounter this error.
Example repo: https://code.sbb.ch/projects/AMN_NEON/repos/csp-test/browse

Error:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-xxx'". Either the 'unsafe-inline' keyword, a hash ('sha256-xxx'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

Is there a proper solution for this? If not, could we add to the documentation that it’s acceptable to relax the inline style restrictions?

Thanks and regards

Provide as much useful information as you can

No response
@mhaertwig mhaertwig self-assigned this Oct 31, 2024
@mhaertwig
Copy link
Collaborator

Hi @aram-yesildeniz
Our SBB Angular libraries are currently not compatible with the CSP rules since we're using a few inline styles in our components. We've discussed this in our team and decided to remove the inline styles. Our plan is to make version 19 (mid November) or one of the following releases CSP compatible.
Regards, Mario

@aram-yesildeniz
Copy link
Author

Hi @mhaertwig, ok great, thanks for the quick check and fast reply, we are looking forward to the new versions :)
Regards Aram

@mhaertwig mhaertwig mentioned this issue Nov 11, 2024
Merged
@aram-yesildeniz
Copy link
Author

Hey guys, sorry to bother you again regarding CSP.
It looks like the @sbb-esta/journey-maps is also conflicting with the strict inline styles CSP.
Again, instead of a fix, an official statement that it is okay to relax the inline style rules for certain scenarios would be more than welcome :)

Thanks and regards, Aram

@mhaertwig
Copy link
Collaborator

No Problem, I wasn't aware that you're also using journey maps. I will forward your request to the ROKAS team.

Regards, Mario

@swiss-chris
Copy link
Contributor

Hi @aram-yesildeniz
I tagged you in the JIRA Issue where the ROKAS team is tracking this issue.

@swiss-chris swiss-chris self-assigned this Nov 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@swiss-chris swiss-chris

@mhaertwig mhaertwig

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@swiss-chris @mhaertwig @aram-yesildeniz