Porsche Design System
You are currently viewing an earlier release of the Porsche Design System.Switch to the latest Porsche Design System documentation.
SearchNavigate to GitHub repository of Porsche Design SystemOpen sidebar
VulnerabilitiesContent Security Policy
Security Table of Contents The HTTP Content-Security-Policy (CSP) response header and meta tag allow website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks. Therefore, we recommend specifying a Content Security Policy for every website and web app. Further information can be found in the Content Security Policy Reference. Basic By specifying https://cdn.ui.porsche.com and https://cdn.ui.porsche.cn for default-src, style-src and script-src, all basic use cases should be covered. For example, this website currently uses the following one. Partials However, the Porsche Design System requires and recommends the usage of partials for injecting styles/scripts and preloading assets. While partials for preloading are covered by whitelisting our CDN domains from above, partials that produce dynamic innerHTML are not. The ones affected are: getInitialStyles() required since v3.7.0 getLoaderScript() getDSRPonyfill() getBrowserSupportFallbackScript() getCookiesFallbackScript() To allow their result being executed by the browser there are two options: Apply a unique nonce attribute on the script and style tag that the partial produces and whitelist this nonce in the CSP header/meta tag Whitelist the script's and style's hashed content in the CSP header/meta tag While the 1st option might be easier to apply by post processing the partial's output it is important that the nonce is not reused which means a new nonce has to be generated each time the website is requested by a user. Our recommendation is to go with the 2nd option. To make integration easy, the affected partials accept the option { format: 'sha256' } in order to receive the hash that needs to be applied with single quotes in the CSP header/meta tag. The returned string from calling a partial, e.g. getInitialStyles({ format: 'sha256' }) is already wrapped in single quotes so it can be used directly in your policy. So an example integration could look like this.
Global settingsThemeChanges the theme of the application and any Porsche Design System component. It's possible to choose between forced theme light and dark. It's also possible to use auto, which applies light or dark theme depending on the operating system settings automatically.LightDarkAuto (sync with operating system)DirectionThe dir global attribute in HTML changes the direction of text and other content within an element. It's most often used on the <html> tag to set the entire page's direction, which is crucial for supporting languages that are written from right to left (RTL), such as Arabic and Hebrew. For example, using <html dir="rtl"> makes the entire page display from right to left, adjusting the layout and text flow accordingly.LTR (left-to-right)RTL (right-to-left)Text ZoomTo ensure accessibility and comply with WCAG 2.2 AA standards, it is mandatory for web content to support text resizing up to at least 200% without loss of content or functionality. Using relative units like rem is a best practice for achieving this, as they allow the text to scale uniformly based on the user's browser settings.100%130%150%200%