CSP Nonce changes with page updates
lleger opened this issue · comments
Environment
Make sure you are using the latest LiveView and Dashboard versions before continuing.
- Elixir version (elixir -v): 1.11.0
- Phoenix version (mix deps): 1.5.9
- Phoenix LiveView version (mix deps): 0.15.7
- Phoenix Dashboard version (mix deps): 0.4.0
- Operating system: macOS
- Browsers you attempted to reproduce this bug on (the more the merrier): Safari, Chrome, Firefox
Actual behavior
With CSP nonces configured, I'm still getting a CSP nonce error on page updates. The browser logs this error:
Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
When the page first loads, there is no error. The error only happens when you click to another page. Here's repro steps:
- http://localhost:4000/manage/dashboard/os_mon → loads fine
- Click "Home" in top nav → styles broken and error logged
- Refresh http://localhost:4000/manage/dashboard/home → loads fine
This is most obvious in the progress bars which use inline styles. When the CSP issues happen, the bars are collapsed.
After some debugging I think what's happening is that the page updates are causing new nonces to be created but the browser didn't make a new request, so the CSP header still has the old value. Illustration:
Expected behavior
With CSP nonces configured, no CSP errors are generated even across page updates.
Hi @lleger, please let me know once you upgrade to LiveView, because it changes how redirects across pages work and I think it will have addressed this issue. We also have a mix dev
task that runs dev.exs
, which has some CSP config for you to try out!
Got it, so CSP is broken in Dashboard 0.4.0 and you don't expect that'll be fixed? (I'm uncertain of our upgrade path to LiveView 0.16 since it seems like a lot of stuff changed.)
@lleger if you send a PR, i can gladly merge it and do a new release, but I wouldn't have time to focus on it.
About v0.16, a lot changed but the breaking changes are very minimal and only relates to changing live_session
in your router. Everything else you can migrate at your own pace and take time.
@josevalim Understood, thank you Jose. I'll look at getting us upgraded sooner rather than later and see if that fixes the issue.
Closing this for now. If the issue persists, feel free to ping and report again. :)