-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP #3499
CSP #3499
Conversation
🦋 Changeset detectedLatest commit: a1d5b97 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
✔️ Deploy Preview for kit-demo canceled. 🔨 Explore the source changes: a1d5b97 🔍 Inspect the deploy log: https://app.netlify.com/sites/kit-demo/deploys/61f1d150cdf15a0008625196 |
I've been experimenting a bit, both with hashing at compile time and general mayhem. Conclusion: Browsers are weird and inconsistent. When using I think this genuinely is a bug in Firefox's impllementation of Without Other than that I was able to get Kit to hash the client js files on render and put the hashes in the manifest (though I'm not sure I'm happy with where I put it), and then the runtime fetches those hashes and insert them into What's the best way for me to contribute code to this PR btw, if you want it? Should I just make PRs into the |
Yikes. Thanks for investigating, that does indeed sound like a Firefox bug. The best we can do is probably support
I have some work locally that would likely conflict if we were both working in |
I'm trying to narrow down the exact issue with reproduction so I can report it. But yeah, we'll just have to do our best with it, and advise that using
Sure. I was mostly experimenting, trying to get a flow of compile-time hashing (since the chunk files are completely static). I might try to look at tests—or I'll just make more abstract contributions (read: find bugs in browsers) some more |
Bugzilla report: https://bugzilla.mozilla.org/show_bug.cgi?id=1751573 |
A couple of edge cases with the dev server: Vite inserts a whole bunch of inline style tags in the dev server (for perfectly good reasons). The SSR can nonce the style tag it sees as much as it wants; Vite will promptly replace it with un-nonced tags after hydration. Since this only affects dev mode it's probably fine to insert Vite connects over WebSocket in dev mode, so if I'd be fine with treating the dev server a little differently and noting it in the docs in case anyone is confused. If you're testing your CSP then you should do it in the adapter's emulator or something anyway. |
Alright, I think this is done. There's some follow-up work to do, as mentioned at the top, but I believe this covers the majority of what we need. |
Ooo, I've found more CSP weirdness.
|
struggling to get it to work in dev or prod with |
I'm going to admit defeat on |
#93.
Lots to do here. CSP is a big topic and we might not nail it in a single PR, but I think this is a good starting point (let me know if I've overlooked or messed up anything):
options.js
to expect newcsp
config option (includingmode: 'nonce' | 'hash' | 'auto'
)generate hashes (probably easiest to just use sha256 everywhere?) from static assetsnot necessary, it turns outdefault-src
orscript-src
orstyle-src
doesn't specifyunsafe-inline
, generate nonces or hashes (depending on the value ofmode
— defaults to 'auto', which means 'nonce for dynamically rendered stuff, hash for prerendered stuff'). Realistically, many apps will needstyle-src: 'unsafe-inline'
until Svelte switches over to using WAAPI for transitionsifalso not necessarydefault-src
orscript-src
orstyle-src
specifiesstrict-dynamic
, include nonces/hashes for everything Kit controls%svelte.nonce%
insrc/app.html
, but not during prerenderingstyle-src 'unsafe-inline'
if necessary, skip nonce,addconnect-src: ws://*
%svelte.nonce%
is present in the template (unless prerendering, obvs)Stuff that's important but should probably stay out of scope for this PR:
strict-dynamic
CSP support #3558Please don't delete this checklist! Before submitting the PR, please make sure you do the following:
Tests
pnpm test
and lint the project withpnpm lint
andpnpm check
Changesets
pnpx changeset
and following the prompts. All changesets should bepatch
until SvelteKit 1.0