Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Content Security Policy nonce option is not working

See original GitHub issue

Describe the bug The possibility to add a cspNonce was introduced in this MR https://github.com/mbrn/material-table/pull/1438.

The problem is that material-table depends on the package react-beautiful-dnd version 11.0.31 which does not have the option to pass a cspNonce as a property.

To Reproduce Steps to reproduce the behaviour:

  • Set up a CSP where the style src is not set to unsafe-inline
  • Use material-table

Expected behaviour There should be no CSP errors but there is. This is because the react-beautiful-dnd library sets inline styles.

Screenshots image

Desktop :

  • OS: Ubuntu
  • Browser Firefox
  • Version 77.0.1

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:8 (3 by maintainers)

github_iconTop GitHub Comments

2reactions
MglMXcommented, Jul 12, 2021

You need to specify the nonce to the MaterialTablecomponent. It will then be passed down to the style tag of react-beautiful-dnd.

<MaterialTable 
  columns={[
    {
      title: t('permitListPage.id'), field: 'id', defaultSort: 'desc', type: 'string',
    },
  ]}
  title={emptyTitle}  // const emptyTitle = '';
  icons={tableIcons}  // import tableIcons from '../TableIcons';
  data={permits}
  options={{cspNonce: "dX5eH2xW7yW0dC0b"}}
/>

The problem with the icons is not related with the CSP. You need to install @material-ui/icons and import them as it is described in the readme.

0reactions
xiaochenzhangcommented, Jul 12, 2021

ah, ok, thanks a lot @MglMX ! I thought the nonce is added by setting webpack_nonce so webpack is generating these tags… For now I will modify all the tables to include the nonce, hope it can be set dynamically in the table in the future. Thanks again for the help! Really appreciated.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Content Security Policy nonce does not apply to event handler ...
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src self https: 'nonce- ...
Read more >
CSP Nonce Examples and Guide - Content Security Policy
Using a nonce is one of the easiest ways to allow the execution of inline scripts in a Content Security Policy (CSP). Here's...
Read more >
CSP: script-src - HTTP - MDN Web Docs - Mozilla
The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly ...
Read more >
Does not support Content Security Policy (CSP) nonce, only ...
In summary they are only for script tags, not style attributes, and it requires the server side to generate a new nonce for...
Read more >
FAQ - Content Security Policy
What if my application uses Service Workers? How do I make my favorite JS library/widget/CMS compatible with nonce-based CSP? Why does the strict...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Default options for all tables

Next page

How to show all rows with pagination overriding