xtermjs/xterm.js

Latest version requires unsafe-inline due to inline styles

Open

#4,445 opened on Mar 23, 2023

View on GitHub
 (21 comments) (1 reaction) (0 assignees)TypeScript (16,196 stars) (1,574 forks)batch import
help wantedtype/enhancement

Description

Content Security Policies need to be set to 'unsafe-inline' to work with xterm.js. Older versions didn't use inline styles so this wasn't an issue.

Ideally xterm should stop using inline styles or support a user-provided nonce value that can be set in the CSP. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src

Details

  • Browser and browser version: all
  • OS version: all
  • xterm.js version: 5.1.0

Steps to reproduce

  1. Set a content security policy like "style-src 'self';"
  2. Make an xterm that has a resizable container
  3. Resizing causes CSP errors in the console.
  4. Resizing doesn't work properly

Contributor guide

Tech stack
typescriptcssjavascript
Domain
frontendsecurity
Issue type
security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Content Security Policy basicsxterm.js style injection mechanismNonce attribute support
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Investigate where inline styles are injected in xterm.js, likely in the rendering pipeline. Review the CSP nonce approach and consider modifying style injection to support a user provided nonce attribute. Check the existing comments for any proposed solutions or rejected alternatives. See the issue #4445 for discussion.
Latest version requires unsafe-inline due to inline styles · xtermjs/xterm.js#4445 | Good First Issue