Comments (7)
For reference, as a developer using this script won't frequently change the script configurations, you can compute on your own the sha
value for your own production script and add it to your CSP. It's a solution as good as any other. For me, for example, it's the above
sha256-ZxiMCbcVxDCutNT7QrHdr+d0Z99vF3DED6pLitElTag=
from next-themes.
Related to: #106
You can't add hash exception for base64 encoded script (current approach). You could add data:
to script-src
directive for now.
from next-themes.
In my case, following error comes up:
Refused to load the script 'data:text/javascript;base64,IWZ1bmN0aW9uKCl7dHJ5IHt2YXIgZD1kb2N1bWVudC5kb2N1bWVudEVsZW1lbnQuY2xhc3NMaXN0O2QucmVtb3ZlKCdsaWdodCcsJ2RhcmsnKTt2YXIgZT1sb2NhbFN0b3JhZ2UuZ2V0SXRlbSgndGhlbWUnKTtpZigic3lzdGVtIj09PWV8fCghZSYmdHJ1ZSkpe3ZhciB0PSIocHJlZmVycy1jb2xvci1zY2hlbWU6IGRhcmspIixtPXdpbmRvdy5tYXRjaE1lZGlhKHQpO2lmKG0ubWVkaWEhPT10fHxtLm1hdGNoZXMpe2Quc3R5bGUuY29sb3JTY2hlbWUgPSAnZGFyayc7ZC5hZGQoJ2RhcmsnKX1lbHNle2Quc3R5bGUuY29sb3JTY2hlbWUgPSAnbGlnaHQnO2QuYWRkKCdsaWdodCcpfX1lbHNlIGlmKGUpe2QuYWRkKGV8fCAnJyl9aWYoZT09PSdsaWdodCd8fGU9PT0nZGFyaycpZC5zdHlsZS5jb2xvclNjaGVtZT1lfWNhdGNoKGUpe319KCk=' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'unsafe-inline' *.youtube.com *.twitter.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.
Security Policies Used:
// https://securityheaders.com
const ContentSecurityPolicy = `
default-src 'self';
script-src 'self' 'unsafe-eval' 'unsafe-inline' *.youtube.com *.twitter.com cdn.usefathom.com;
child-src *.youtube.com *.google.com *.twitter.com;
style-src 'self' 'unsafe-inline' *.googleapis.com;
img-src * blob: data:;
media-src 'none';
connect-src *;
font-src 'self';
`;
const securityHeaders = [
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
{
key: 'Content-Security-Policy',
value: ContentSecurityPolicy.replace(/\n/g, '')
},
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
{
key: 'Referrer-Policy',
value: 'origin-when-cross-origin'
},
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
{
key: 'X-Frame-Options',
value: 'DENY'
},
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
{
key: 'X-Content-Type-Options',
value: 'nosniff'
},
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control
{
key: 'X-DNS-Prefetch-Control',
value: 'on'
},
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
{
key: 'Strict-Transport-Security',
value: 'max-age=31536000; includeSubDomains; preload'
},
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
// Opt-out of Google FLoC: https://amifloced.org/
{
key: 'Permissions-Policy',
value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()'
}
];
@vanntile Any idea how to fix this ?
The link you mentioned does not work now
Thanks
from next-themes.
You should add a SHA-256 value of the script, as I said above. Chrome can recommend you the actual computed value.
from next-themes.
I searched the option to pass SHA downn the ThemeProvider
but didd not find any. Can you tell me / recommend some link?
from next-themes.
Thanks @brokul-dev. Following worked for me:
script-src 'self' 'unsafe-eval' 'unsafe-inline' *.youtube.com *.twitter.com data:;
from next-themes.
For your information, I have commented below on the method I used to obtain the hash value.
from next-themes.
Related Issues (20)
- setTheme does not update DOM (next 13) HOT 1
- How can I get a transition between dark and light mode HOT 4
- defaultTheme did't work in the latest Chrome for macOS HOT 7
- Next Themes Flash of White BG when using the basePath HOT 4
- Inconsistent theming when the page loads HOT 3
- light/dark mode by changing class names on html tag HOT 2
- There is a error while setting up ThemeProvider HOT 5
- How to disable syncing themes between tabs HOT 2
- Documentation out of date with Tailwind's new dark-mode API
- Should `resolvedTheme` obey `forcedTheme`? HOT 3
- Allow nested providers HOT 2
- Theme object is injected into the "data-theme" property. HOT 1
- useTheme doesn't work in monorepo ui library. HOT 1
- `TypeError: Cannot read properties of undefined (reading 'addListener')` using `vitest`/`@testing-library/react` HOT 1
- Support for changing both class and data-theme attribute simultaneously HOT 1
- Callback Version of `setTheme` Passes Itself HOT 1
- Possibility to share across sub-domains? HOT 1
- ThemeProvider returns multiple types HOT 3
- setTheme not working HOT 1
- Theme flashing v0.3.0 HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from next-themes.