I’m yet to find a website that actually has CSP without unsafe inline / eval granted in their policy. I suspect react doesn’t support the policies well, but also that the policy is not as scalable as intended.
Don’t get me wrong, it’s a cool idea but I can’t help but think that it’s dead. Can anyone prove me wrong?
All those sites have a restrictive CSP, among other things. Many of them are Fediverse instances (mostly Mastodon), i.e. complex web services that often serve thousands of users. Some others are simple static sites which are comparatively easy to apply a strict CSP to.
CSPs are hard to get right, but they're doable. Most occurrences of script unsafe-inline and unsafe-eval are due to laziness. As far as I know -- and I use React regularly -- there's nothing about React that makes a strong CSP harder vs normal DOM manipulations.
It's also worth noting that 'unsafe-inline' in CSP is commonly used to support older browsers, and a nonce subsequently disables the unsafe directive for modern browsers that support it. It can be hard to read a policy visually and see if the directive actually applies.
(The same thing happens with 'strict-dynamic' and allowing all HTTP(S) URIs -- 'strict-dynamic' disables the URIs when supported.)
> I suspect react doesn’t support the policies well
Frankly this sounds like something you just made up.
Why would React require any weakening of CSP rules? Is there something special about React that requires loading it differently than any other JavaScript?
On the whole, React is a win for security, because XSS is by default impossible, due to the indirection provided by the Virtual DOM abstraction. As long as you (and your dependencies) don’t dangerouslySetInnerHTML, you’ll eliminate most XSS bugs.
Don’t get me wrong, it’s a cool idea but I can’t help but think that it’s dead. Can anyone prove me wrong?