Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Nx React and Content Security Policy (CSP)

See original GitHub issue

Current Behavior

“INLINE_RUNTIME_CHUNK=false” command does not work with NX React. I would use this to avoid the use of ‘unsafe-inline’ for style-src CSP directive

In a normal React app I would use "build": "set \"INLINE_RUNTIME_CHUNK=false\" && react-scripts build" and this would enable my CSPs to work properly

I have tried the following in my pipeline script: set \"INLINE_RUNTIME_CHUNK=false\" && npx nx affected --base=HEAD~1 --target=build but this doesn’t work

Is there a way to use “INLINE_RUNTIME_CHUNK=false” when using NX?

Can you advise why #2932 was closed? This seems like a security issue that needs to be resolved to me?

More info https://drag13.io/posts/react-inline-runtimer-chunk/index.html

Expected Behavior

You should be able to have “INLINE_RUNTIME_CHUNK=false” when using NX otherwise having CSPs breaks the application

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:3
  • Comments:8 (3 by maintainers)

github_iconTop GitHub Comments

2reactions
72gmcommented, Feb 24, 2022

A workaround is to use ‘unsafe-inline’.

image

This isn’t ideal as it reduces the security rating from “A+” to “A” when scanning at https://securityheaders.com/ (hopefully my security team will let this pass)

Are there any plans to add such a config option to NX that create-react-app has?

Might be something you want to give some consideration to given nx.dev’s rating https://securityheaders.com/?q=https%3A%2F%2Fnx.dev%2F&followRedirects=on

1reaction
sayeedhussaincommented, Jul 8, 2022

Hello Maintainers,

@FrozenPandaz, @vsavkin, @bcabanes , @jaysoo , @meeroslav , @leosvelperez

This seems to be a security concern. Can you please let us know your plan to address this?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Nx React and Content Security Policy (CSP) - Stack Overflow
This allows me get my content security policies (CSPs) working by not embedding the runtime scripts into index.html. I am now using an...
Read more >
React Content Security Policy Guide - StackHawk
Content Security Policy (CSP) applies to scripts, images, styles, and more. It helps prevent XSS. Learn about content security policy in React.
Read more >
Content Security Policy (CSP) in Create-React-App (CRA)
I decided to use CSP-2 and use <Meta> to define CSP policies for my app. No inline script or style. By default, Create...
Read more >
Content Security Policy with React WebApp
La Content Security Policy est une entête HTTP permettant de définir les interactions entre les ressources d'une page web. default-src 'self'; script-src 'self' ......
Read more >
React Monorepo Tutorial - Part 1: Code Generation - Nx
React Monorepo Tutorial - Part 1: Code Generation · Contents · Your Objective · Creating an Nx Workspace · Adding Another Application to...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

linting with --fix passes when it should not pass.

Next page

Prevent circular dependency issues when using type imports (enforce-module-boundarie)