security audit v4: remove unsafe-inline from style-src CSP#422
Merged
security audit v4: remove unsafe-inline from style-src CSP#422
Conversation
- Replace style-src 'unsafe-inline' with per-request nonce in middleware - Extend HTMLRewriter to inject nonces into <style> elements - Add <meta name="csp-nonce"> to Layout for client-side access - Patch document.createElement in Layout to auto-nonce emotion/MUI injected <style> tags without modifying any component files - Convert all inline style= attributes in .astro files to Tailwind classes Resolves OWASP A05:2021 style-src unsafe-inline finding (security audit v4)
Deploying website with
|
| Latest commit: |
77a8e77
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://03a79aee.website-aun.pages.dev |
| Branch Preview URL: | https://security-audit-v4.website-aun.pages.dev |
…only style-src CSP
Prevents authenticated requests being forwarded to arbitrary upstream endpoints (e.g. admin APIs). All legitimate callers (volunteerForm, inputs-mapping) only call /api/method/* paths.
…llowlists
- Add Element.prototype.setAttribute patch in Layout.astro to convert
setAttribute('style', ...) calls into individual setProperty() CSSOM
mutations, preventing CSP violations from Email Octopus form script
- Add https://gallery.eo.page to font-src for Email Octopus custom font
- Add https://www.google.com to frame-src for Qgiv reCAPTCHA iframe
…parse Email Octopus script injects styled HTML via innerHTML; the browser blocks style attributes at HTML parse time before any setAttribute intercept fires. Patch 3 renames style="..." to data-csp-style before handing the string to the original innerHTML setter, then re-applies each rule via setProperty.
- Add https://secure.qgiv.com to style-src for Qgiv donate form stylesheet - Add https://validaid.org to frame-src for donate page embed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
'unsafe-inline'fromstyle-srcCSP directive, resolving the OWASP A05:2021 Security Misconfiguration finding from the v4 security audit'nonce-${nonce}') consistent with howscript-srcalready works<style>elements (HTMLRewriter), and client-side emotion/MUI dynamic injection (document.createElement patch)Changes
src/middleware.tsstyle-srcuses'nonce-${nonce}'instead of'unsafe-inline'<style>elements in addition to<script>elementssrc/layouts/Layout.astro<meta name="csp-nonce">with the per-request nonce for client-side accessis:inlinescript that patchesdocument.createElementto auto-set.nonceon every<style>element created by JavaScript — covers emotion/MUI across all React component trees without modifying any component filesAll
.astrofiles — everystyle=""HTML attribute removed and replaced with Tailwind:index.astro,membership.astro,donate.astro,faq.astro,about.astro,project-details-temp.astro,team.astro,TFPLogo.astro,Layout.astroTest plan