Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

strict-dynamic CSP support #3558

Open
Tracked by #3499
Rich-Harris opened this issue Jan 26, 2022 · 4 comments
Open
Tracked by #3499

strict-dynamic CSP support #3558

Rich-Harris opened this issue Jan 26, 2022 · 4 comments
Milestone

Comments

@Rich-Harris
Copy link
Member

Describe the problem

SvelteKit doesn't really work with strict-dynamic CSP, at least not when using hashes. There seem to be some non-intuitive requirements (you have to use modulepreload?), and I haven't been able to get it to work at all in Firefox, so I more or less gave up on it in #3499.

Describe the proposed solution

Err, not sure. But this...

// svelte.config.js
export default {
  kit: {
    csp: {
      directives: {
        'default-src': ['strict-dynamic']
      }
    }
  }
};

...needs to work in dev and prod somehow.

Alternatives considered

No response

Importance

nice to have

Additional Information

No response

This was referenced Jan 26, 2022
@Karlinator
Copy link
Contributor

I'm not surprised you didn't get it to work at all in Firefox, at least when using hashes.

strict-dynamic is kind of patchy in browsers, as evidenced by that bug, but from what I've tested there should be no real issues (from the browser side) when using nonces.

@Rich-Harris Rich-Harris added this to the post-1.0 milestone Apr 25, 2022
peterpeterparker added a commit to dfinity/nns-dapp that referenced this issue Oct 13, 2022
# Motivation

Using a CSP `'strict-dynamic'` with SvelteKit breaks in Firefox.

# Solution

Extracting the script content that gets injected by SvelteKit in `index.html` into a separate JS script that gets appended with a script loader.

Exact same "script loader" as the one we use to use for Rollup.

# Issue

- SvelteKit sveltejs/kit#3558 

# Changes

- update `build.csp.mjs` to extract script
- add script loader to `app.html`
@Karlinator
Copy link
Contributor

The Firefox bug mentioned here has (finally) seen movement. 116 Nightly now has support for CSP hashes for remote scripts.

https://bugzilla.mozilla.org/show_bug.cgi?id=1409200

@aradalvand
Copy link
Contributor

aradalvand commented Jul 13, 2023

I just tested strict-dynamic (context) and it actually seems to be working just fine (although I'm only using nonces); is there really anything that needs to be done still? Am I missing something?

@stephanabs
Copy link

@aradalvand It works with nonces, but at least for me it still doesn't work with hashes.

@Rich-Harris were you able to find a workaround for this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants