Webpack Support for Content Security Policy using hashes #3967
Description
Pre-flight checklist
- I have read the contribution documentation for this project.
- I agree to follow the code of conduct that this project uses.
- I have searched the issue tracker for a feature request that matches the one I want to file, without success.
Problem description
I am working on an Electron app that uses Electron-Forge and Webpack. It is a React app that used Styled-Components. Due to Styled-Components being deprecated there will be work to move away from it. However, in the meantime there is need for it to be supported.
I added a content-security policy for electron using the:
session.defaultSession.webRequest.onHeadersReceived
I am using a custom protocol as outlined in Electron Security. My current content-security policy is default-src ${CUSTOM_PROTOCOL}: 'unsafe-inline'.
I would like the ability to not have to unsafe-inline. My understanding is that to remove it I would need to use either a nonce or a hash. It seems that a nonce is likely not a good approach for styled-components or webpack. It seems that using a hash and dynamic-strict would be the only potential avenue to improving CSP.
I am requesting a feature that allows for the adding a CSP with hash of the underlying scripts. This should allow me to improve my CSP.
Proposed solution
There is an existing webpack component that should allow for CSP to be added with script hashes. https://github.com/slackhq/csp-html-webpack-plugin
Just not clear if the repository is supported enough to be used in Electron-Forge or better to implement directly
Alternatives considered
Nonce seems to not be supported by styled-components
Additional information
"@electron-forge/cli": "^7.7.0",
"electron": "37.1.0",
Please let me know if my understanding of content-security policy is correct. This is a new area for me and just trying to ensure I am following best practices.