-
-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP compliance #1368
Comments
Yeah I guess we could remove it but it might be better to add this back in the stylesheet, probably better to do that in Slickgrid-Universal since I don't have any CSS in Angular-Slickgrid anymore.
There's already a
I've done a lot of work with another user's help to make SlickGrid CSP compliant, you can see all the PRs we've done in Also note that in the SlickGrid project, with help from the other user, we decided to make certain CSP options as separate options because it had an impact on perf. I wrote a quick Wiki on SlickGrid project and you can see this SlickGrid Example. From the Wiki you'll see this this.gridOptions = {
dataView: { useCSPSafeFilter: true, }
} I should also eventually replicate this Wiki to my own docs, the approach would be similar. I certainly welcome any contributions in that regards, I'm not sure it would work with all examples though |
Did some testing. Removing the
So I took a swing at converting the demo site to be CSP compliant, but while doing so I realized some examples would become a bit complicated for the average user to understand. E.g. the column formatters can't return a string with html like Then I could bring So I'm also throwing both idea's in the fireplace :) So there is just 1 thing left and that is to move the |
Yes and No, one of the thing I've changed in latest major to be more CSP Compliant is to have Formatters accept not only strings but also native HTML Element and also internally since I added DOMPurify I changed the default option to return TrustedHTML. So both approach should still pass CSP, however 1 thing to note is that a Formatter with native HTML Element will have better perf since it doesn't have to convert HTML string to HTML elements for the DOM, so it's faster (but you probably won't see much of a difference since SlickGrid uses virtual scroll)
Yeah I don't want to make it more complicate for regular non-CSP users and very often enabling CSP also mean perf drops, so it's better to stay raw in some cases. Oh and I forgot that I added CSP Docs only on the new GitBook docs website, so I did write about it :)
Yeah of course, I will do that in a bit. Like I said earlier, I'm working on a new feature that mainly touches the styling, so I'll add it to my TODOs ;) |
- as per Angular-Slickgrid opened [issue](ghiscoding/Angular-Slickgrid#1368)
- as per Angular-Slickgrid opened [issue](ghiscoding/Angular-Slickgrid#1368)
fix: remove width style on grid container for CSP safe, fixes #1368
@jr01 this should be fixed now, hope you also enjoy the brand new Dark Mode 😉 Cheers |
Wow. Thanks @ghiscoding ! |
Describe the bug
Hi!
I'm working on content-security-policy (CSP) compliance in our product and getting a console error in Angular Slickgrid:
This is because of the
style=
inAngular-Slickgrid/src/app/modules/angular-slickgrid/components/angular-slickgrid.component.html
Line 3 in e8b3792
The grid is working and displaying fine however, so it's not a blocker...
Reproduction
Sorry no minimal repro, I can create it later if desired, but a summart of what I did in my app.
As described here https://angular.io/guide/security#content-security-policy I changed my
index.html
to<app-root ngCspNonce="randomNonceGoesHere"></app-root>
.For
ng serve
support I updatedangular.json
to set the CSP header on response:As described here https://ghiscoding.gitbook.io/slickgrid-universal/developer-guides/csp-compliance I did something like the following in my component:
And lastly I updated all my formatters to return
HtmlResult
.Expectation
A simple fix would be to change to
[ngStyle]="{ width: '100%' }"
. I already tested that by subclassing theAngularSlickgridComponent
on my end.But perhaps :
width: 100%
style can be moved to.slickgrid-container
or removed completely since it didn't do anything for me... I will investigate/test of course, but perhaps you remember why it was put there?@Inject(CSP_NONCE)...
and setting the grid options be moved to relevant places in Angular Slickgrid? Then CSP would just work out-of-the-box :) I haven't yet investigated what solution other components are using.Environment Info
Validations
The text was updated successfully, but these errors were encountered: