Style-src permission

Hello there. First of all thanks for releasing all the amazing new custom UI goodies to the community! One major roadblock for me to embed third party libraries (such as Google Charts) is the inability to set the style-src CSP policy. This has been addressed with the “Permissions” features for custom UI, however only script-src, connect-src, image-src and media-src so far have permissions. To make it really versatile the style-src CSP is missing. This way I will also not need to make use of unsafe-inline because I can use trusted resources.

Is this feature just forgotten or is there any major reason why stylesheets cannot be included via CSP? If this is just forgotten I assume creating corresponding code that does exactly the same as for script-src should be trivial. Can we expect any ETA on this?

Best regards

Hi @lennardberger
Glad to know you are enjoying the changes to Custom UI we are making :slight_smile:

Thanks for reporting this! This was not intended to keep the style-src CSP out of the permissions.
This has been flagged internally and we will aim to ship a fix in the coming weeks. We cannot promise a date but you can follow up on this here: [FRGE-253] Allow style-src as part of Egress Permissions for Custom UI apps - Ecosystem Jira

1 Like

Morning @lennardberger

I am pleased to announce that the above request has been implemented and shipped as part of yesterday release!
Once you upgrade your Forge CLI, you will now be able to include external.styles to your manifest and re-deploy your app to take it into effect.

Please refer to:

Cheers!

3 Likes

Hello,

I’m here since I also had issues with style-src: self. I solved quickly by updating manifest and adding unsafe-inline.

There are multiple issues as of now:

  1. Manifest CSP unsafe-styles will be deprecates by 18 of September (not mentioned in manifest docs, I encountered in on custom-ui page) so as I understand we should use <meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline' 'self'" /> tag inside our index.html (SPA)

  2. I’m unable to revoke unsafe-inline permissions by removing entries from the manifest.yaml, therefore I’m unable to test the meta tag. Test will just produce false positive outcomes.

  3. @atlaskit utilizes unsafe-inline therefore ironically, if developers want to use official ui library he will need to enable it anyway.

As for now, my app is stuck with unsafe-inline from manifest.yaml since I’m unable to revoke it.

Cheers,
Arturs

Hi @Townsheriff

Thanks for reaching out.

So it seems there is a bit of confusion here: the use of the <meta> tag is the one being deprecated and removed in the near future. Instead, one should use the manifest permissions, like so:

permissions:
  content:
    styles: 
      - 'unsafe-inline'

The exhausted list of supported permissions is documented here

Hope this clarifies things :slight_smile:

Cheers

1 Like