Comments (5)
Tracked it down to these two divs Gatsby wraps the body with:
<div style="outline: none;" tabindex="-1" id="gatsby-focus-wrapper">
and
<div id="gatsby-announcer" style="position: absolute; top: 0; width: 1px; height: 1px; padding: 0; overflow: hidden; clip: rect(0, 0, 0, 0); white-space: nowrap; border: 0;" aria-live="assertive" aria-atomic="true"></div>
If you calculate the sha-256 for those two styles, you'll see they match the ones in the browser error i.e. xEAI9+h/o3bZk3pUT7XDH9K7x5IOvG0FbJpal6UC/m8=
and g6+1wt4NLfWDgcHpASzi98yBTZMT5MvrI31KNOqoXC4=
, respectively.
This plugin only calculates the sha-256 on <style>
or <script>
tags found in the head, pre-body, or post-body. It doesn't look for any in the body and also doesn't look for either inline style attributes or inline event handlers.
Most likely the same issue as #14 and #16
from gatsby-plugin-csp.
Same...
from gatsby-plugin-csp.
As a work around for the style attributes on gatsby-announcer
and gatsby-focus-wrapper
you can add a style-src config like this:
'style-src': "'self' 'unsafe-hashes' 'sha256-MtxTLcyxVEJFNLEIqbVTaqR4WWr0+lYSZ78AzGmNsuA=' 'sha256-o4LYhp5wtluJ8/NWUV2vi+r5AxmP8X2zEvYHCpji+kI='"
(unsafe-hashes option is required in some browsers to make it work for style attributes)
Note that if a future Gatsby update changes the style attribute on these divs these hashes would need to be updated again.
Also make sure you have mergeStyleHashes
set to true
for this to work.
Full example:
{
resolve: 'gatsby-plugin-csp',
options: {
disableOnDev: true,
mergeStyleHashes: true,
mergeDefaultDirectives: true,
directives: {
'style-src':
// hashes for #gatsby-focus-wrapper and #gatsby-announcer style attribute
"'self' 'unsafe-hashes' 'sha256-MtxTLcyxVEJFNLEIqbVTaqR4WWr0+lYSZ78AzGmNsuA=' 'sha256-o4LYhp5wtluJ8/NWUV2vi+r5AxmP8X2zEvYHCpji+kI='",
},
},
from gatsby-plugin-csp.
As a work around for the style attributes on
gatsby-announcer
andgatsby-focus-wrapper
you can add a style-src config like this:'style-src': "'self' 'unsafe-hashes' 'sha256-MtxTLcyxVEJFNLEIqbVTaqR4WWr0+lYSZ78AzGmNsuA=' 'sha256-o4LYhp5wtluJ8/NWUV2vi+r5AxmP8X2zEvYHCpji+kI='"
(unsafe-hashes option is required in some browsers to make it work for style attributes)
Note that if a future Gatsby update changes the style attribute on these divs these hashes would need to be updated again.
Also make sure you have
mergeStyleHashes
set totrue
for this to work.Full example:
{ resolve: 'gatsby-plugin-csp', options: { disableOnDev: true, mergeStyleHashes: true, mergeDefaultDirectives: true, directives: { 'style-src': // hashes for #gatsby-focus-wrapper and #gatsby-announcer style attribute "'self' 'unsafe-hashes' 'sha256-MtxTLcyxVEJFNLEIqbVTaqR4WWr0+lYSZ78AzGmNsuA=' 'sha256-o4LYhp5wtluJ8/NWUV2vi+r5AxmP8X2zEvYHCpji+kI='", }, },
I'm not clear on where this sha key should come from?
from gatsby-plugin-csp.
@potatowave check the console CSP error/warning in the browser after a deployment and it will say hash was provided but was expected. Then just change it to <2>. That's how I did it.
In my case it looked like this:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob: 'sha256-VQmEp0Z3hhXpgyR8eLC7h/m/fuPoIu20hDeWkLfFJt8='". Either the 'unsafe-inline' keyword, a hash ('sha256-rstJb4fHq3envUwqc55dL7f2YwhXthb/y9glQxrlm+Y='), or a nonce ('nonce-...') is required to enable inline execution.
from gatsby-plugin-csp.
Related Issues (14)
- License? HOT 2
- CSP meta `content` is escaped HOT 2
- Unrecognized Content-Security-Policy directive 'report-src'. HOT 1
- Warning: Each child in a list should have a unique "key" prop. HOT 3
- Lots of inline style and script errors are being thrown
- upgrade-insecure-requests & block-all-mixed-content not working.
- style-src without sha256 hashes. Styled components issue?
- Status of this plugin / repo? HOT 9
- disableOnDev flag is printed to HTML
- Issues with gatsby-image HOT 13
- HTTP headers support HOT 3
- Way to specify report-only csp? HOT 1
- Why is this plugin better than just adding a CSP header to the html.js? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatsby-plugin-csp.