You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To fix this the same way CSP is supported for the main script injection, a nonce also needs to be passed into this style injection. It would make sense to me to reuse the same nonce, which would be most seamless by using the same from emotion cache provider. (or it could be passed through in some other way)
Just came across this issue while trying to get rid of this error with chakra-ui/nextjs.
If I understand correctly, the style tag being injected is hard coded into the source, so adding the suggested hash to the CSP style-src should remove the error (sha256-GNF74DLkXb0fH3ILHgILFjk1ozCF3SNXQ5mQb7WLu/Y=)
..not super elegant but seems to work so long as the source remains unchanged.
Description
When I use Chakra in a project with a content security policy, I see the following error:
This is not resolved by setting a nonce in my emotion cache, or by adding a
ColorModeScript
with a nonce.Link to Reproduction
main...apexskier:chakra-ui:csp-style-issue
Steps to reproduce
Run the vite-js example project from my fork, run behind https and add a content security policy matching the one in the vite config example. (I used something similar to
ngrok
and this chrome plugin https://chrome.google.com/webstore/detail/modheader-modify-http-hea/idgpnmonknjnojddfkpgkljpfnnfcklj.Chakra UI Version
default branch
Browser
Google Chrome 116.0.5845.187
Operating System
Additional Information
The error comes from the
<style>
node creation here:chakra-ui/packages/components/color-mode/src/color-mode.utils.ts
Lines 49 to 55 in 6d12ea8
To fix this the same way CSP is supported for the main script injection, a nonce also needs to be passed into this style injection. It would make sense to me to reuse the same nonce, which would be most seamless by using the same from emotion cache provider. (or it could be passed through in some other way)
An example/verification of this fix can be found here apexskier/chakra-ui@csp-style-issue...apexskier:chakra-ui:csp-style-issue-fix (the first commit, or combo of first and second commits both work).
The text was updated successfully, but these errors were encountered: