Regression: support for strict CSP broken by style mutation
See original GitHub issueThe optimization in PR https://github.com/rrweb-io/rrweb/pull/464 broke support for users who run a strict Content-Security-Policy (CSP).
Specifically, this line sets the style
attribute on a DOM node and will be blocked without style-src: 'unsafe-inline'
(which is the unsafe CSP).
For any apps that pull in the affected versions and have a strict CSP, this issue will generate a very large numbers of errors like the one below (one for each time that line of code runs). As a possible side effect, any error reporting services or report-url endpoints may be quickly overwhelmed with error reports.
Issue Analytics
- State:
- Created 2 years ago
- Comments:27 (13 by maintainers)
Top Results From Across the Web
Mitigate cross-site scripting (XSS) with a strict Content Security ...
Learn how to deploy a CSP based on script nonces or hashes as a defense-in-depth against cross-site scripting.
Read more >Strict CSP - Content Security Policy
Strict CSP. Content Security Policy can help protect your application from XSS, but in order for it to be effective you need to...
Read more >Safari Technology Preview Release Notes - Apple Developer
Changed to align with CSS Fonts specification changes (r283130); Fixed shadowing of @font-palette-values rules (r283756); Handle CSSOM style mutation of font- ...
Read more >Cross-site scripting - Wikipedia
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject ......
Read more >Google JavaScript Style Guide
There are alternatives if mutation is needed, including exporting a constant reference to an object that has mutable fields or exporting accessor functions...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Sure. Just some more context on how I discovered the issue. I recently updated our app to MUI v5 which is supposed to have strict CSP compatibility now (since they switched to emotion / styled-components and no longer use CSS in JS). I enabled the strict CSP headers and tested the site in staging where we are NOT running rrweb and saw no errors. When moved to prod where recording is enabled, I saw the CSP errors triggered by the referenced mutation line from rrweb.
I actually would expect the app’s attribute updates to trigger CSP but there must be a reason they are allowed.
Here is one of the things triggering a modification that gets picked up by the rrweb mutation.
I’m agnostic; just not sure if #846 actually fixes it … presume it does. If possible, a general CSP test would be good to catch regression on this, or the emergence of new CSP violations.