feat: handle nonce and trusted types (CSP) in next app-dir

Author: lsagetlethias

README.md

@@ -110,6 +110,8 @@ A few projects that use `@codegouvfr/react-dsfr`.
 
 -   https://code.gouv.fr/sill
 -   https://immersion-facile.beta.gouv.fr/
+-   https://egapro.travail.gouv.fr/
+-   https://maisondelautisme.gouv.fr/
 -   https://refugies.info/fr
 -   https://www.mediateur-public.fr/
 -   https://signal.conso.gouv.fr/

package.json

@@ -107,7 +107,7 @@
         "remixicon": "^3.2.0",
         "storybook-dark-mode": "^1.1.2",
         "ts-node": "^10.9.1",
-        "tss-react": "^4.9.0",
+        "tss-react": "^4.9.1",
         "type-route": "^1.0.1",
         "typescript": "^4.9.1",
         "vitest": "^0.24.3"

src/next-appdir/DsfrHead.tsx

@@ -55,18 +55,25 @@ export function DsfrHead(props: DsfrHeadProps) {
             <link rel="apple-touch-icon" href={getAssetUrl(AppleTouchIcon)} />
             <link rel="icon" href={getAssetUrl(FaviconSvg)} type="image/svg+xml" />
             <link rel="shortcut icon" href={getAssetUrl(FaviconIco)} type="image/x-icon" />
-            {isProduction && (
-                <script
-                    nonce={nonce}
-                    dangerouslySetInnerHTML={{
-                        "__html": getScriptToRunAsap({
-                            defaultColorScheme,
-                            nonce,
-                            trustedTypesPolicyName
-                        })
-                    }}
-                />
-            )}
+            <script
+                suppressHydrationWarning
+                nonce={nonce}
+                dangerouslySetInnerHTML={{
+                    "__html": getScriptToRunAsap({
+                        defaultColorScheme,
+                        nonce,
+                        trustedTypesPolicyName
+                    })
+                }}
+            />
+            <script
+                suppressHydrationWarning
+                key="nonce-setter"
+                nonce={nonce}
+                dangerouslySetInnerHTML={{
+                    __html: `window.ssrNonce = "${nonce}";`
+                }}
+            />
         </>
     );
 }

src/next-appdir/zz_internal/start.ts

@@ -8,16 +8,22 @@ import { isBrowser } from "../../tools/isBrowser";
 let isAfterFirstEffect = false;
 const actions: (() => void)[] = [];
 
-export function startReactDsfr(params: {
+export async function startReactDsfr(params: {
     defaultColorScheme: DefaultColorScheme;
     /** Default: false */
     verbose?: boolean;
     /** Default: <a /> */
     Link?: (props: RegisteredLinkProps & { children: ReactNode }) => ReturnType<React.FC>;
-    nonce?: string;
+    checkNonce?: boolean;
     trustedTypesPolicyName?: string;
 }) {
-    const { defaultColorScheme, verbose = false, Link, nonce, trustedTypesPolicyName } = params;
+    const {
+        defaultColorScheme,
+        verbose = false,
+        Link,
+        checkNonce,
+        trustedTypesPolicyName
+    } = params;
 
     setDefaultColorSchemeClientSide({ defaultColorScheme });
 
@@ -39,7 +45,7 @@ export function startReactDsfr(params: {
                     }
                 }
             },
-            nonce,
+            checkNonce,
             trustedTypesPolicyName
         });
     }

src/spa.ts

@@ -15,15 +15,15 @@ export function startReactDsfr(params: {
     Link?: (props: RegisteredLinkProps & { children: ReactNode }) => ReturnType<React.FC>;
     /** Default: ()=> "fr" */
     useLang?: () => string;
-    nonce?: string;
+    checkNonce?: boolean;
     trustedTypesPolicyName?: string;
 }) {
     const {
         defaultColorScheme,
         verbose = false,
         Link,
         useLang,
-        nonce,
+        checkNonce,
         trustedTypesPolicyName
     } = params;
 
@@ -39,7 +39,7 @@ export function startReactDsfr(params: {
         defaultColorScheme,
         verbose,
         "nextParams": undefined,
-        nonce,
+        checkNonce,
         trustedTypesPolicyName
     });
 }

src/start.ts

@@ -13,14 +13,14 @@ type Params = {
               registerEffectAction: (effect: () => void) => void;
           }
         | undefined;
-    nonce?: string;
+    checkNonce?: boolean;
     trustedTypesPolicyName?: string;
 };
 
 let isStarted = false;
 
 export async function start(params: Params) {
-    const { defaultColorScheme, verbose, nextParams, nonce, trustedTypesPolicyName } = params;
+    const { defaultColorScheme, verbose, nextParams, checkNonce, trustedTypesPolicyName } = params;
 
     assert(isBrowser);
 
@@ -38,7 +38,7 @@ export async function start(params: Params) {
         "doPersistDarkModePreferenceWithCookie":
             nextParams === undefined ? false : nextParams.doPersistDarkModePreferenceWithCookie,
         registerEffectAction,
-        nonce,
+        checkNonce,
         trustedTypesPolicyName
     });
 

src/useIsDark/client.ts

@@ -98,14 +98,14 @@ export function startClientSideIsDarkLogic(params: {
     registerEffectAction: (action: () => void) => void;
     doPersistDarkModePreferenceWithCookie: boolean;
     colorSchemeExplicitlyProvidedAsParameter: ColorScheme | "system";
-    nonce?: string;
+    checkNonce?: boolean;
     trustedTypesPolicyName?: string;
 }) {
     const {
         doPersistDarkModePreferenceWithCookie,
         registerEffectAction,
         colorSchemeExplicitlyProvidedAsParameter,
-        nonce,
+        checkNonce,
         trustedTypesPolicyName = "react-dsfr"
     } = params;
 
@@ -119,8 +119,7 @@ export function startClientSideIsDarkLogic(params: {
             return {
                 "clientSideIsDark": isDarkFromHtmlAttribute,
                 "ssrWasPerformedWithIsDark":
-                    ((window as any).ssrWasPerformedWithIsDark as boolean | undefined) ??
-                    isDarkFromHtmlAttribute
+                    window.ssrWasPerformedWithIsDark ?? isDarkFromHtmlAttribute
             };
         }
 
@@ -234,13 +233,17 @@ export function startClientSideIsDarkLogic(params: {
 
     {
         const setRootColorScheme = (isDark: boolean) => {
+            const nonce = window.ssrNonce;
+            if (checkNonce && !nonce) {
+                return;
+            }
             document.getElementById(rootColorSchemeStyleTagId)?.remove();
 
             const element = document.createElement("style");
 
             element.id = rootColorSchemeStyleTagId;
 
-            if (nonce !== undefined) {
+            if (nonce) {
                 element.setAttribute("nonce", nonce);
             }
 

src/useIsDark/scriptToRunAsap.ts

@@ -8,6 +8,13 @@ type GetScriptToRunAsap = (props: {
     trustedTypesPolicyName?: string;
 }) => string;
 
+declare global {
+    interface Window {
+        ssrWasPerformedWithIsDark?: boolean;
+        ssrNonce?: string;
+    }
+}
+
 // TODO enhance to use DOMPurify with trustedTypes
 export const getScriptToRunAsap: GetScriptToRunAsap = ({
     defaultColorScheme,
@@ -17,7 +24,7 @@ export const getScriptToRunAsap: GetScriptToRunAsap = ({
 {
 
     window.ssrWasPerformedWithIsDark = "${defaultColorScheme}" === "dark";
-	const sanitizer = typeof trustedTypes !== "undefined" ? trustedTypes.createPolicy("${trustedTypesPolicyName}", { createHTML: s => s }) : {
+	const sanitizer = typeof trustedTypes !== "undefined" ? trustedTypes.createPolicy("${trustedTypesPolicyName}-asap", { createHTML: s => s }) : {
 		createHTML: s => s,
 	};
     

test/integration/cra/package.json

@@ -8,7 +8,6 @@
         "react-scripts": "5.0.1",
         "type-route": "^0.7.2",
         "@mui/material": "^5.13.3",
-        "tss-react": "^4.8.6",
         "@emotion/react": "^11.11.0",
         "@emotion/styled": "^11.11.0",
         "@mui/icons-material": "^5.10.16",
@@ -50,4 +49,4 @@
             "last 1 safari version"
         ]
     }
-}
+}

test/integration/cra/yarn.lock

@@ -1103,7 +1103,7 @@
   integrity sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==
 
 "@codegouvfr/react-dsfr@file:../../../dist":
-  version "0.58.9"
+  version "0.75.8"
   dependencies:
     tsafe "^1.6.3"
 
@@ -1268,7 +1268,7 @@
     source-map "^0.5.7"
     stylis "4.2.0"
 
-"@emotion/cache@*", "@emotion/cache@^11.11.0":
+"@emotion/cache@^11.11.0":
   version "11.11.0"
   resolved "https://registry.yarnpkg.com/@emotion/cache/-/cache-11.11.0.tgz#809b33ee6b1cb1a625fef7a45bc568ccd9b8f3ff"
   integrity sha512-P34z9ssTCBi3e9EI1ZsWpNHcfY1r09ZO0rZbRO2ob3ZQMnFI35jB536qoXbkdesr5EUhYi22anuEJuyxifaqAQ==
@@ -1310,7 +1310,7 @@
     "@emotion/weak-memoize" "^0.3.1"
     hoist-non-react-statics "^3.3.1"
 
-"@emotion/serialize@*", "@emotion/serialize@^1.1.2":
+"@emotion/serialize@^1.1.2":
   version "1.1.2"
   resolved "https://registry.yarnpkg.com/@emotion/serialize/-/serialize-1.1.2.tgz#017a6e4c9b8a803bd576ff3d52a0ea6fa5a62b51"
   integrity sha512-zR6a/fkFP4EAcCMQtLOhIgpprZOwNmCldtpaISpvz348+DP4Mz8ZoKaGGCQpbzepNIUWbq4w6hNZkwDyKoS+HA==
@@ -1348,7 +1348,7 @@
   resolved "https://registry.yarnpkg.com/@emotion/use-insertion-effect-with-fallbacks/-/use-insertion-effect-with-fallbacks-1.0.1.tgz#08de79f54eb3406f9daaf77c76e35313da963963"
   integrity sha512-jT/qyKZ9rzLErtrjGgdkMBn2OP8wl0G3sQlBb3YPryvKHsjvINUhVaPFfP+fpBcOkmrVOVEEHQFJ7nbj2TH2gw==
 
-"@emotion/utils@*", "@emotion/utils@^1.2.1":
+"@emotion/utils@^1.2.1":
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/@emotion/utils/-/utils-1.2.1.tgz#bbab58465738d31ae4cb3dbb6fc00a5991f755e4"
   integrity sha512-Y2tGf3I+XVnajdItskUCn6LX+VUDmP6lTL4fcqsXAv43dnlbZiuW4MWQW38rW/BVWSE7Q/7+XQocmpnRYILUmg==
@@ -8540,15 +8540,6 @@ tslib@^2.0.3:
   resolved "https://registry.yarnpkg.com/tslib/-/tslib-2.4.1.tgz#0d0bfbaac2880b91e22df0768e55be9753a5b17e"
   integrity sha512-tGyy4dAjRIEwI7BzsB0lynWgOpfqjUdq91XXAlIWD2OwKBH7oCl/GZG/HT4BOHrTlPMOASlMQ7veyTqpmRcrNA==
 
-tss-react@^4.8.6:
-  version "4.8.6"
-  resolved "https://registry.yarnpkg.com/tss-react/-/tss-react-4.8.6.tgz#c1d9ede44474e3119bb21ef6ef7ae4057cbee751"
-  integrity sha512-+ucvy+SLFUUxd3zA3QS9Q7bo5FerR8VIUOHieyvYYMoBqtpVinnOA0aTOSXcSdl4lqjFc/9gNA5x0B5iIWk7hA==
-  dependencies:
-    "@emotion/cache" "*"
-    "@emotion/serialize" "*"
-    "@emotion/utils" "*"
-
 tsutils@^3.21.0:
   version "3.21.0"
   resolved "https://registry.yarnpkg.com/tsutils/-/tsutils-3.21.0.tgz#b48717d394cea6c1e096983eed58e9d61715b623"