Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Set style properties directly in mutation #211

Draft
wants to merge 3 commits into
base: sentry-v2
Choose a base branch
from

Conversation

chargome
Copy link
Member

@chargome chargome commented Aug 7, 2024

This PR sets style attributes directly instead of rewriting the full style attribute. That avoids users running into runtime CSP errors when they have not configured unsafe-inline in their CSP.

fixes #145
relates to #10481

@chargome chargome self-assigned this Aug 7, 2024
packages/rrweb/src/utils.ts Outdated Show resolved Hide resolved
export function splitStyleAttributes(styles: string) {
const splitStyles = styles.split(';');
return splitStyles
.filter((value) => value.split(':').length == 2)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: Is this safe? Could styles not include colons in other places? Not 100% sure, just want to double check!

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That will probably be an issue sooner or later, you're right

chargome and others added 2 commits August 7, 2024 12:00
Co-authored-by: Francesco Novy <francesco.novy@sentry.io>
Co-authored-by: Francesco Novy <francesco.novy@sentry.io>
@chargome chargome marked this pull request as draft August 7, 2024 10:02
@chargome
Copy link
Member Author

I have tried several options on injecting these styles (with nonces), like using a shadow dom, an iframe or just a style tag but all of these were still triggering the csp error.

The only option that really worked were setting the attributes directly using javascript, which is most likely too brittle and expensive to do.

The only other alternative that kinda worked was:

  • creating a style tag on the unattached document
  • setting a nonce on that tag, adding inline styles as a class inside the style tag
  • creating a span, setting the classname we have defined in the style tag
  • using window.getComputedStyle(span)to get the styles and then get the properties from that

but this alters values (e.g. color: red becomes an rgb value), so also not really suitable I think

@visualjerk
Copy link

visualjerk commented Sep 20, 2024

Unsure, if this is viable in your case, but some libraries offer a nonce option on initialization which is added to each injected style element.

Example from emotion

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug]: use of setAttribute('style', ...) in rrweb/src/record/mutation.ts violates CSP style-src directive
3 participants