Hello there. First of all thanks for releasing all the amazing new custom UI goodies to the community! One major roadblock for me to embed third party libraries (such as Google Charts) is the inability to set the style-src CSP policy. This has been addressed with the “Permissions” features for custom UI, however only script-src, connect-src, image-src and media-src so far have permissions. To make it really versatile the style-src CSP is missing. This way I will also not need to make use of unsafe-inline because I can use trusted resources.
Is this feature just forgotten or is there any major reason why stylesheets cannot be included via CSP? If this is just forgotten I assume creating corresponding code that does exactly the same as for script-src should be trivial. Can we expect any ETA on this?
Best regards
Hi @lennardberger
Glad to know you are enjoying the changes to Custom UI we are making
Thanks for reporting this! This was not intended to keep the style-src
CSP out of the permissions.
This has been flagged internally and we will aim to ship a fix in the coming weeks. We cannot promise a date but you can follow up on this here: [FRGE-253] - Ecosystem Jira
1 Like
Morning @lennardberger
I am pleased to announce that the above request has been implemented and shipped as part of yesterday release!
Once you upgrade your Forge CLI, you will now be able to include external.styles
to your manifest and re-deploy your app to take it into effect.
Please refer to:
Cheers!
3 Likes
Hello,
I’m here since I also had issues with style-src: self
. I solved quickly by updating manifest and adding unsafe-inline
.
There are multiple issues as of now:
-
Manifest CSP unsafe-styles
will be deprecates by 18 of September (not mentioned in manifest docs, I encountered in on custom-ui page) so as I understand we should use <meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline' 'self'" />
tag inside our index.html
(SPA)
-
I’m unable to revoke unsafe-inline
permissions by removing entries from the manifest.yaml
, therefore I’m unable to test the meta tag. Test will just produce false positive outcomes.
-
@atlaskit
utilizes unsafe-inline
therefore ironically, if developers want to use official ui library he will need to enable it anyway.
As for now, my app is stuck with unsafe-inline
from manifest.yaml
since I’m unable to revoke it.
Cheers,
Arturs
Hi @Townsheriff
Thanks for reaching out.
So it seems there is a bit of confusion here: the use of the <meta>
tag is the one being deprecated and removed in the near future. Instead, one should use the manifest permissions, like so:
permissions:
content:
styles:
- 'unsafe-inline'
The exhausted list of supported permissions is documented here
Hope this clarifies things
Cheers
1 Like