-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
strict-dynamic
CSP support
#3558
Comments
I'm not surprised you didn't get it to work at all in Firefox, at least when using hashes.
|
# Motivation Using a CSP `'strict-dynamic'` with SvelteKit breaks in Firefox. # Solution Extracting the script content that gets injected by SvelteKit in `index.html` into a separate JS script that gets appended with a script loader. Exact same "script loader" as the one we use to use for Rollup. # Issue - SvelteKit sveltejs/kit#3558 # Changes - update `build.csp.mjs` to extract script - add script loader to `app.html`
The Firefox bug mentioned here has (finally) seen movement. 116 Nightly now has support for CSP hashes for remote scripts. |
I just tested |
@aradalvand It works with nonces, but at least for me it still doesn't work with hashes. @Rich-Harris were you able to find a workaround for this? |
Describe the problem
SvelteKit doesn't really work with
strict-dynamic
CSP, at least not when using hashes. There seem to be some non-intuitive requirements (you have to usemodulepreload
?), and I haven't been able to get it to work at all in Firefox, so I more or less gave up on it in #3499.Describe the proposed solution
Err, not sure. But this...
...needs to work in dev and prod somehow.
Alternatives considered
No response
Importance
nice to have
Additional Information
No response
The text was updated successfully, but these errors were encountered: