feat: support strict CSP (follow-up to #1193)#1240
Merged
Conversation
Resolve conflicts in: - packages/dockview-core/src/dockview/options.ts (kept both new imports from master and the CspNonce import from this branch) - __generated__/dockview-core-exports.txt (regenerated via npm run gen) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… in addStyles When a stylesheet has an href, addStyles already appends a <link> to the target document. Previously it then also fell through and tried to read cssRules to inject inline <style> elements for the same sheet, which both duplicates the rules (same-origin sheets) and logs a security warning (cross-origin sheets). Continue past the inline-injection block once the <link> has been appended. Also runs prettier on dom.ts and dom.spec.ts to satisfy format:check. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add three integration tests around PopoutWindow.open() that mock window.open and verify the nonce option flows all the way into the <style> elements injected into the popout document, both for string nonces and for the (targetDocument) => string callback form. Also adds a small contract test asserting that 'nonce' is in PROPERTY_KEYS_DOCKVIEW, which is what makes the React and Vue wrappers auto-forward the option without explicit prop wiring. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The exported union `string | ((doc: Document) => string | undefined)` is
not just a nonce — only the first arm is. The second arm provides one.
Rename to CspNonceProvider so the type name describes both shapes
accurately. Also drop an unused `import { CspNonce }` line in
options.ts (the `export { ... } from '../dom'` re-export was already
sufficient).
While here, split the `dom.spec.ts` "preserves source order" test:
because addStyles now `continue`s past cssRules access for href-bearing
sheets, the previous test's throwing cssRules getter and console.warn
spy were dead code. The split now has one test for ordering (using a
plain href stylesheet in the middle) and a separate test that exercises
the warn path on a no-href sheet whose cssRules access throws.
Regenerate __generated__/dockview-core-exports.txt for the rename.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Move `advanced/csp.mdx` -> `core/security.mdx` and retitle to "Security". CSP is one slice of how Dockview behaves in security-hardened environments alongside Trusted Types and same-origin popouts; the page was already covering all three. Live alongside theming/events/dnd in `core/` since this is operational config every production deploy hits, not an edge case. Two content changes worth flagging: - Clarify that the `nonce` option only authorises the inline <style> elements Dockview injects. External CSS files Dockview reattaches as <link rel="stylesheet"> in the popout are still subject to your `style-src` source expressions — the URLs must be covered by 'self' or an explicit origin in the directive, not just by the nonce. - Document the FOUC edge for href-bearing sheets in popouts: because they reload via <link> they're applied asynchronously, so the popout may flash unstyled for a frame on a slow origin. Invisible in practice for same-origin (cached) sheets. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Resolve add/add conflict in packages/dockview-core/src/__tests__/popoutWindow.spec.ts: both branches added the file. Keep both describe blocks — this branch's CSP nonce wiring tests (`PopoutWindow` describe) plus master's same-origin URL assertion tests (`assertSameOriginPopoutUrl` describe). Updated the CSP test URLs from 'about:blank' to '/popout.html' so they clear master's new assertSameOriginPopoutUrl gate (which now runs in PopoutWindow.open). Verified all 904 dockview-core tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The `export { CspNonceProvider } from '../dom'` re-export only forwards
the name to consumers — it does not bring it into local scope, so the
type annotation `nonce?: CspNonceProvider` further down failed with
TS2304. Restore the local import alongside the re-export.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Builds on @hyperNURb's #1193 (preserves all original commits/authorship) and addresses the items blocking that PR.
What this PR adds on top of #1193
packages/dockview-core/src/dockview/options.tsimports +__generated__/dockview-core-exports.txt). Brings in the unrelatedReactComponentBridgetest-flake fix (ce02eea24) so CI'stestjob stops failing.fix(dockview-core): avoid duplicating rules from external stylesheets —addStylespreviously appended a<link>for href-bearing sheets and fell through to inject inline<style>elements for the same sheet, which both duplicates rules (same-origin sheets) and triggers the security-warning path (cross-origin sheets). Flagged by the Copilot review on feat: support strict CSP #1193. Now wecontinuepast the inline-injection block once the<link>has been appended, and the existing test is tightened to assert no<style>is produced for an href sheet.dom.tsanddom.spec.tssoformat:checkpasses.test(dockview-core): cover CSP nonce wiring —popoutWindow.spec.ts(3 tests) drivesPopoutWindow.open()with a mockedwindow.openand verifies the nonce option flows throughaddStylesinto the<style>elements in the popout document, for both string and(targetDocument) => stringforms.options.spec.tsasserts'nonce' ∈ PROPERTY_KEYS_DOCKVIEW, which is the contract that lets the React and Vue wrappers auto-forward the option without explicit prop wiring (validates the description's claim that React/Vue are covered).Test plan
yarn nx run dockview-core:format:check— cleanyarn nx run dockview-core:lint— 0 errorsyarn nx run dockview-core:test— 867/867 pass (+14 from new tests)addStylestest would have caught the duplicate-rules bug (checked by reverting thecontinuelocally —<style>length goes from 0 → 1)🤖 Generated with Claude Code