Menu
I have to use a Content Security Policy for a react application.
The reason, that is however not of a big matter here, is, that I am creating a WebExtension/Browser Extension/add-on and these do have such a content security policy, and there things like 'unsafe-eval' and 'unsafe-inline' are strictly disallowed:
extensions with 'unsafe-eval', 'unsafe-inline', remote script, blob, or remote sources in their CSP are not allowed for extensions listed on addons.mozilla.org due to major security issues.
I have created the app with create-react-app loosly following this guide. The objective would be to be able to use react there with the default CSP of WebExtensions, or, at least, only minor adjustments.
However note, that (such strict) CSPs should actually also be used on "normal" websites for security reasons, so this question is not only for add-on makers.
But when I run npm run build the generated index.html does contain more than enough inline JS code.
So how can I configure/use react to not do this and...
Actually, it seems the development version (created when I run npm start) does not have such minifications. So I've asked a seperate question for how to get the files from there: How to build a production version of React without minification?
896
You can enable a CSP in two different ways in a React app. The first is to add the headers directly to the response. The second is to add meta tags to the content. Note that meta tags aren't supported for some security headers, such as HSTS.
Content Security Policy was built to combat Cross Site Scripting by requiring that you can only load javascript from a specifically trusted origins. But when you put in 'unsafe-inline' you are allowing javascript back into the HTML, which makes XSS possible again.
The unsafe-inline option is to be used when moving or rewriting inline code in your current site is not an immediate option but you still want to use CSP to control other aspects (such as object-src, preventing injection of third-party js etc.).
Yes, you will need to know CSS if you want to add styling in React. First you must know the basics of CSS, and then you will need to learn how to use it in React. For elements that will not change, you just create CSS files in your React project and import them to your . js files.
Actually thanks to @heyimalex I found a very easy answer for my problem. Just run the build script like this:
INLINE_RUNTIME_CHUNK=false npm run build Afterwards, it should be CSP-compatible.
130
Anyone facing issue with INLINE_RUNTIME_CHUNK=false with non recognized command in Windows system, below is the proper way to execute the command to prevent the inline chunk on the build.
set "INLINE_RUNTIME_CHUNK=false" && react-scripts build
Create a script to execute it in your package.json file.
"scripts": { "build": "set \"INLINE_RUNTIME_CHUNK=false\" && react-scripts build" } I found that quotes around the INLINE_RUNTIME_CHUNK are necessary as well && If the command is executed in Windows default command line.
For Linux, you can follow the accepted answer.
Use the Environment variable so that you don't have to worry about running the command.
Create a .env file and add INLINE_RUNTIME_CHUNK=false.
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
