xtermjs/xterm.js

Latest version requires unsafe-inline due to inline styles

Open

#4,445 建立於 2023年3月23日

在 GitHub 查看
 (21 留言) (1 反應) (0 負責人)TypeScript (16,196 star) (1,574 fork)batch import
help wantedtype/enhancement

描述

Content Security Policies need to be set to 'unsafe-inline' to work with xterm.js. Older versions didn't use inline styles so this wasn't an issue.

Ideally xterm should stop using inline styles or support a user-provided nonce value that can be set in the CSP. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src

Details

  • Browser and browser version: all
  • OS version: all
  • xterm.js version: 5.1.0

Steps to reproduce

  1. Set a content security policy like "style-src 'self';"
  2. Make an xterm that has a resizable container
  3. Resizing causes CSP errors in the console.
  4. Resizing doesn't work properly

貢獻者指南

技術棧
typescriptcssjavascript
領域
frontendsecurity
議題類型
security
難度面向新貢獻者的預計實作難度,1 表示很小改動,5 表示專家級工作。
3
預計時間有經驗貢獻者完成調查、實作、測試並準備 pull request 的粗略時間範圍。
1-2 days
活動狀態議題目前的可參與程度:新鮮、活躍、陳舊、阻塞或等待維護者輸入。
stale
清晰度議題是否清楚說明預期改動、驗收標準和下一步。
clear
前置要求
Content Security Policy basicsxterm.js style injection mechanismNonce attribute support
新手友善度1-100 的估計分數,表示該議題對首次貢獻者的友善程度。
40
研究方向
Investigate where inline styles are injected in xterm.js, likely in the rendering pipeline. Review the CSP nonce approach and consider modifying style injection to support a user provided nonce attribute. Check the existing comments for any proposed solutions or rejected alternatives. See the issue #4445 for discussion.