jss icon indicating copy to clipboard operation
jss copied to clipboard
verified publisher icon cssinjs

Add support for CSSStyleSheet instance in DomRenderer for CSP enabled applications without relying on nonce

Open rohitkr opened this issue 1 year ago • 0 comments

Summary

This pull request introduces support for using a CSSStyleSheet instance provided by the user in the DomRenderer class. This enhancement is aimed at improving the flexibility and security of style injection in Content Security Policy (CSP) enabled applications. While maintaining support for nonce, it also provides an alternative for environments where the nonce value is not exposed.

Problem

In CSP enabled applications, inline styles are often restricted, making it challenging to manage stylesheets securely. The current implementation of JSS supports nonce for CSP, but it does not support the direct use of a CSSStyleSheet instance created and managed outside of JSS. This limitation hinders the ability to inject styles into a secure CSSStyleSheet, especially in environments where the nonce value is not exposed.

Solution

The proposed solution allows users to provide a CSSStyleSheet instance as the insertionPoint in the DomRenderer class. The changes include:

  • Updating the constructor of DomRenderer to accept a CSSStyleSheet instance.
  • Modifying the insertStyle method to handle CSSStyleSheet instances.
  • Maintaining support for nonce while providing an alternative for environments where the nonce value is not exposed.

Changes

  • Updated DomRenderer constructor to check if insertionPoint is an instance of CSSStyleSheet and use it directly if true.
  • Modified insertStyle method to insert rules into the provided CSSStyleSheet instance.
  • Maintained the setting of nonce attribute while providing an alternative for environments where the nonce value is not exposed.

Impact

This change enhances the security and flexibility of JSS by allowing styles to be injected into a CSSStyleSheet instance, which is particularly useful in CSP enabled environments. It ensures that JSS can be used in a wider range of applications with strict security policies, even when the nonce value is not exposed.

Testing

The changes have been tested in a CSP enabled environment to ensure that styles are correctly injected into the provided CSSStyleSheet instance without violating CSP rules.

Corresponding Issue(s):

What Would You Like to Add/Fix?

Todo

  • [ ] Add test(s) that verify the modified behavior
  • [x] Add documentation if it changes public API

Expectations on Changes

Changelog

rohitkr avatar Nov 22 '24 10:11 rohitkr