Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LocalizedStringProvider: nonce parameter for Content Security Policy #6219

Merged
merged 6 commits into from
May 22, 2024
Merged

LocalizedStringProvider: nonce parameter for Content Security Policy #6219

merged 6 commits into from
May 22, 2024

Conversation

Julienng
Copy link
Contributor

@Julienng Julienng commented Apr 17, 2024
edited
Loading

Closes #6218

✅ Pull Request Checklist:

  • Included link to corresponding LocalizedStringProvider: missing nonce parameter when CSP is enabled.
  • Added/updated unit tests and storybook for this change (for new code or code which already has tests).
  • Filled out test instructions.
  • Updated documentation (if it already exists for this component). Would like help on where to document there
  • Looked at the Accessibility Practices for this feature - Aria Practices no concern

📝 Test Instructions:

#6218
Reproduction repo and deployed test on vercel to check

🧢 Your Project:

@Julienng Julienng force-pushed the nonce-parameter-for-localized-string-provider branch from 185b9a1 to b2e1311 Compare April 30, 2024 09:41
snowystinger
snowystinger previously approved these changes Apr 30, 2024
View reviewed changes
Copy link
Member

@snowystinger snowystinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable, we should see about adding it to our example project for verification.
https://github.com/adobe/react-spectrum/tree/main/examples/next-app

@Julienng
Copy link
Contributor Author

Oh i missed that one, I can work on that based on this reproduction bug repository:

https://github.com/Julienng/csp-next-and-react-aria-components-provider

@Julienng Julienng force-pushed the nonce-parameter-for-localized-string-provider branch from d726ab8 to 70b6c49 Compare May 2, 2024 11:05
@Julienng
Copy link
Contributor Author

Julienng commented May 2, 2024

@snowystinger I've added the example project. It matches with the next-app but with CSP

By testing it, I noticed hydration error with CSP because the browser remove nonce parameter from the DOM before React hydration.

To circumvent that problem, I followed the same pattern as next-themes in this PR: pacocoursey/next-themes#262

new code:

<script nonce={typeof window === 'undefined' ? nonce : ''} suppressHydrationWarning dangerouslySetInnerHTML={{__html: getPackageLocalizationScript(locale, strings)}} />;

@Julienng Julienng requested a review from snowystinger May 2, 2024 11:45
@Julienng Julienng force-pushed the nonce-parameter-for-localized-string-provider branch from 70b6c49 to 84fdccb Compare May 6, 2024 06:24
@Julienng Julienng force-pushed the nonce-parameter-for-localized-string-provider branch from 84fdccb to 81099b7 Compare May 13, 2024 12:26
@snowystinger
Copy link
Member

Linking relevant React issue facebook/react#26028

snowystinger
snowystinger reviewed May 14, 2024
View reviewed changes
Copy link
Member

@snowystinger snowystinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, might be a silly question, but how do I run this to verify what it's doing?
I tried

cd examples/next-app-csp
yarn
yarn dev

and it just renders a blank page with an error, which is about the nonce, element in question. So is this what it's supposed to do?
Screenshot 2024-05-14 at 5 43 20 PM

@Julienng
Copy link
Contributor Author

Julienng commented May 14, 2024
edited
Loading

Oh yeah, I had to yarn build before for the example to work. I don't know if this is expected (from the monorepo perspective)?

@snowystinger
Copy link
Member

snowystinger commented May 15, 2024
edited
Loading

Oh yeah, I had to yarn build before for the example to work. I don't know if this is expected (from the monorepo perspective)?

totally fine, I think we should include instructions though. With all the different systems, I sometimes forget the commands I need to run and in what order.

snowystinger
snowystinger approved these changes May 15, 2024
View reviewed changes
Copy link
Member

@snowystinger snowystinger left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was able to successfully run it, verified the suppress warning and checked sent-through nonce via the attribute

LFDanLu
LFDanLu approved these changes May 17, 2024
View reviewed changes
Copy link
Member

@LFDanLu LFDanLu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified the behavior before and after the nonce addition. Might be good to add a small blurb to the docs SSR docs highlighting that this prop exists?

@snowystinger snowystinger merged commit 369c0f5 into adobe:main May 22, 2024
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@snowystinger snowystinger snowystinger approved these changes

@LFDanLu LFDanLu LFDanLu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

LocalizedStringProvider: missing nonce parameter when CSP is enabled
3 participants
@Julienng @snowystinger @LFDanLu