wip nonce and trustedTypes

Author: lsagetlethias

.nvmrc

@@ -0,0 +1 @@
+18

src/next-appdir/DsfrHead.tsx

@@ -20,12 +20,14 @@ export type DsfrHeadProps = {
     preloadFonts?: (keyof typeof fontUrlByFileBasename)[];
     /** Default: <a /> */
     Link?: (props: RegisteredLinkProps & { children: ReactNode }) => ReturnType<React.FC>;
+    nonce?: string;
+    trustedTypesPolicyName?: string;
 };
 
 const isProduction = process.env.NODE_ENV !== "development";
 
 export function DsfrHead(props: DsfrHeadProps) {
-    const { preloadFonts = [], Link } = props;
+    const { preloadFonts = [], Link, nonce, trustedTypesPolicyName } = props;
 
     const defaultColorScheme = getDefaultColorSchemeServerSide();
 
@@ -55,7 +57,14 @@ export function DsfrHead(props: DsfrHeadProps) {
             <link rel="shortcut icon" href={getAssetUrl(FaviconIco)} type="image/x-icon" />
             {isProduction && (
                 <script
-                    dangerouslySetInnerHTML={{ "__html": getScriptToRunAsap(defaultColorScheme) }}
+                    nonce={nonce}
+                    dangerouslySetInnerHTML={{
+                        "__html": getScriptToRunAsap({
+                            defaultColorScheme,
+                            nonce,
+                            trustedTypesPolicyName
+                        })
+                    }}
                 />
             )}
         </>

src/next-appdir/zz_internal/start.ts

@@ -14,8 +14,10 @@ export function startReactDsfr(params: {
     verbose?: boolean;
     /** Default: <a /> */
     Link?: (props: RegisteredLinkProps & { children: ReactNode }) => ReturnType<React.FC>;
+    nonce?: string;
+    trustedTypesPolicyName?: string;
 }) {
-    const { defaultColorScheme, verbose = false, Link } = params;
+    const { defaultColorScheme, verbose = false, Link, nonce, trustedTypesPolicyName } = params;
 
     setDefaultColorSchemeClientSide({ defaultColorScheme });
 
@@ -36,7 +38,9 @@ export function startReactDsfr(params: {
                         actions.push(action);
                     }
                 }
-            }
+            },
+            nonce,
+            trustedTypesPolicyName
         });
     }
 }

src/next-pagesdir.tsx

@@ -41,6 +41,8 @@ export type CreateNextDsfrIntegrationApiParams = {
     doPersistDarkModePreferenceWithCookie?: boolean;
     /** Default: ()=> "fr" */
     useLang?: () => string;
+    nonce?: string;
+    trustedTypesPolicyName?: string;
 };
 
 function readIsDarkInCookie(cookie: string) {
@@ -88,7 +90,9 @@ export function createNextDsfrIntegrationApi(
         Link,
         preloadFonts = [],
         doPersistDarkModePreferenceWithCookie = false,
-        useLang
+        useLang,
+        nonce,
+        trustedTypesPolicyName
     } = params;
 
     let isAfterFirstEffect = false;
@@ -165,9 +169,10 @@ export function createNextDsfrIntegrationApi(
                         />
                         {!isBrowser && ( //NOTE: On browser we handle this manually
                             <>
-                                <style id={rootColorSchemeStyleTagId}>{`:root { color-scheme: ${
-                                    isDark ? "dark" : "light"
-                                }; }`}</style>
+                                <style
+                                    nonce={nonce}
+                                    id={rootColorSchemeStyleTagId}
+                                >{`:root { color-scheme: ${isDark ? "dark" : "light"}; }`}</style>
                                 <meta
                                     name="theme-color"
                                     content={
@@ -179,8 +184,13 @@ export function createNextDsfrIntegrationApi(
                         )}
                         {isProduction && (
                             <script
+                                nonce={nonce}
                                 dangerouslySetInnerHTML={{
-                                    "__html": getScriptToRunAsap(defaultColorScheme)
+                                    "__html": getScriptToRunAsap({
+                                        defaultColorScheme,
+                                        nonce,
+                                        trustedTypesPolicyName
+                                    })
                                 }}
                             />
                         )}

src/spa.ts

@@ -15,8 +15,17 @@ export function startReactDsfr(params: {
     Link?: (props: RegisteredLinkProps & { children: ReactNode }) => ReturnType<React.FC>;
     /** Default: ()=> "fr" */
     useLang?: () => string;
+    nonce?: string;
+    trustedTypesPolicyName?: string;
 }) {
-    const { defaultColorScheme, verbose = false, Link, useLang } = params;
+    const {
+        defaultColorScheme,
+        verbose = false,
+        Link,
+        useLang,
+        nonce,
+        trustedTypesPolicyName
+    } = params;
 
     if (Link !== undefined) {
         setLink({ Link });
@@ -29,7 +38,9 @@ export function startReactDsfr(params: {
     start({
         defaultColorScheme,
         verbose,
-        "nextParams": undefined
+        "nextParams": undefined,
+        nonce,
+        trustedTypesPolicyName
     });
 }
 

src/start.ts

@@ -13,12 +13,14 @@ type Params = {
               registerEffectAction: (effect: () => void) => void;
           }
         | undefined;
+    nonce?: string;
+    trustedTypesPolicyName?: string;
 };
 
 let isStarted = false;
 
 export async function start(params: Params) {
-    const { defaultColorScheme, verbose, nextParams } = params;
+    const { defaultColorScheme, verbose, nextParams, nonce, trustedTypesPolicyName } = params;
 
     assert(isBrowser);
 
@@ -35,7 +37,9 @@ export async function start(params: Params) {
         "colorSchemeExplicitlyProvidedAsParameter": defaultColorScheme,
         "doPersistDarkModePreferenceWithCookie":
             nextParams === undefined ? false : nextParams.doPersistDarkModePreferenceWithCookie,
-        registerEffectAction
+        registerEffectAction,
+        nonce,
+        trustedTypesPolicyName
     });
 
     // @ts-expect-error

src/useIsDark/client.ts

@@ -98,11 +98,15 @@ export function startClientSideIsDarkLogic(params: {
     registerEffectAction: (action: () => void) => void;
     doPersistDarkModePreferenceWithCookie: boolean;
     colorSchemeExplicitlyProvidedAsParameter: ColorScheme | "system";
+    nonce?: string;
+    trustedTypesPolicyName?: string;
 }) {
     const {
         doPersistDarkModePreferenceWithCookie,
         registerEffectAction,
-        colorSchemeExplicitlyProvidedAsParameter
+        colorSchemeExplicitlyProvidedAsParameter,
+        nonce,
+        trustedTypesPolicyName = "react-dsfr"
     } = params;
 
     const { clientSideIsDark, ssrWasPerformedWithIsDark: ssrWasPerformedWithIsDark_ } = ((): {
@@ -174,6 +178,14 @@ export function startClientSideIsDarkLogic(params: {
 
     ssrWasPerformedWithIsDark = ssrWasPerformedWithIsDark_;
 
+    const trustedTypes = (window as any).trustedTypes;
+    const sanitizer =
+        typeof trustedTypes !== "undefined"
+            ? trustedTypes.createPolicy(trustedTypesPolicyName, { createHTML: (s: string) => s })
+            : {
+                  createHTML: (s: string) => s
+              };
+
     $clientSideIsDark.current = clientSideIsDark;
 
     [data_fr_scheme, data_fr_theme].forEach(attr =>
@@ -228,7 +240,13 @@ export function startClientSideIsDarkLogic(params: {
 
             element.id = rootColorSchemeStyleTagId;
 
-            element.innerHTML = `:root { color-scheme: ${isDark ? "dark" : "light"}; }`;
+            if (nonce !== undefined) {
+                element.setAttribute("nonce", nonce);
+            }
+
+            element.innerHTML = sanitizer.createHTML(
+                `:root { color-scheme: ${isDark ? "dark" : "light"}; }`
+            );
 
             document.head.appendChild(element);
         };

src/useIsDark/scriptToRunAsap.ts

@@ -2,10 +2,24 @@ import type { ColorScheme } from "./client";
 import { data_fr_scheme, data_fr_theme, rootColorSchemeStyleTagId } from "./constants";
 import { fr } from "../fr";
 
-export const getScriptToRunAsap = (defaultColorScheme: ColorScheme | "system") => `
+type GetScriptToRunAsap = (props: {
+    defaultColorScheme: ColorScheme | "system";
+    nonce?: string;
+    trustedTypesPolicyName?: string;
+}) => string;
+
+// TODO enhance to use DOMPurify with trustedTypes
+export const getScriptToRunAsap: GetScriptToRunAsap = ({
+    defaultColorScheme,
+    nonce,
+    trustedTypesPolicyName = "react-dsfr"
+}) => `
 {
 
     window.ssrWasPerformedWithIsDark = "${defaultColorScheme}" === "dark";
+	const sanitizer = typeof trustedTypes !== "undefined" ? trustedTypes.createPolicy("${trustedTypesPolicyName}", { createHTML: s => s }) : {
+		createHTML: s => s,
+	};
     
     const isDark = (() => {
     
@@ -70,9 +84,13 @@ export const getScriptToRunAsap = (defaultColorScheme: ColorScheme | "system") =
 
         element = document.createElement("style");
 
+		if ("${nonce}" !== "") {
+			element.setAttribute("nonce", "${nonce}");
+		}
+
         element.id = "${rootColorSchemeStyleTagId}";
 
-        element.innerHTML = \`:root { color-scheme: \${isDark ? "dark" : "light"}; }\`;
+        element.innerHTML = sanitizer.createHTML(\`:root { color-scheme: \${isDark ? "dark" : "light"}; }\`);
 
         document.head.appendChild(element);
 

test/integration/next-appdir/app/StartDsfr.tsx

@@ -13,7 +13,8 @@ declare module "@codegouvfr/react-dsfr/next-appdir" {
 
 startReactDsfr({ 
 	defaultColorScheme, 
-	Link
+	Link,
+    nonce: "coucoucoucoucouc"
 });
 
 export function StartDsfr(){

test/integration/next-appdir/app/layout.tsx

@@ -41,6 +41,7 @@ export default function RootLayout({ children }: { children: JSX.Element; }) {
 						//"Spectral-Regular",
 						//"Spectral-ExtraBold"
 					]}
+					nonce='coucoucoucoucouc'
 				/>
 			</head>
 			<body