handreyrc commented on issue #3197: URL: https://github.com/apache/incubator-kie-tools/issues/3197#issuecomment-3104976643
@batzionb I investigated the issue and the root cause is how resources such as css and scripts are being added to the DOM in runtime by the diagram editor's core. GWT uses script / style injector that fetches the \<HEAD\> from the DOM and literally injects text / content into it at runtime. The catch is that same approach was ported to our current J2CL implementation of the editor. The issue is not only a matter of including those resources in the DOM, we also need to make them available to java code otherwise we cannot consume jquery, booststrap, patternfly... Take a look how it works : [StunnerLienzoCore.java](https://github.com/apache/incubator-kie-tools/blob/main/packages/serverless-workflow-diagram-editor/kie-wb-common-stunner/kie-wb-common-stunner-client/kie-wb-common-stunner-lienzo/src/main/java/org/kie/workbench/common/stunner/client/lienzo/StunnerLienzoCore.java#L51) The CSP error message implies that to make those resources safe we need to add a hash / nonce to them so they would be allowed to run. Following that approach I added a webpack plugin "CspHtmlWebpackPlugin" that in compiling time would scan from scripts and styles included and then add a nonce to all of them. It works fine, however, the scripts being blocked are being added at runtime and would still be blocked by rhdh CSP polices. Aiming to solve this issue, there is a way to extend permissions from a parent script to its child scripts by adding "strict-dynamic" to CSP header. The interesting part in this approach is that we have the rhdh CSP coming from the http header and the CSP \<META\> tag added to the resulting html by the "CspHtmlWebpackPlugin". Despite of the browser combining both CSPs sources there are rules to be observed. The more strict police always wins. It means that we can tighten up rules via \<META\> tag but we cannot relax them. In this case "strict-dynamic" loses to rhdh CSP rules and has no effect. That being said I don't see any fixes by tunning CSP parameters on the editor side. The remaing solution is to remove the script injector usages and then reengineer the way scrips are included and made available to java code in the diagram editor. For example, somehow find a way to include those scripts statically and then build elemental interfaces to bridge the access to js native resources from java code. The CSP did not complain about the styles and fonts also being included, however, they can be and issue as well once the script issue is fixed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
