-
-
Notifications
You must be signed in to change notification settings - Fork 6.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: csp nonce support #16052
feat: csp nonce support #16052
Conversation
Co-authored-by: Andrew <8158705+maccuaa@users.noreply.github.com>
Co-Authored-By: Justin Tay <49700559+justin-tay@users.noreply.github.com>
Run & review this pull request in StackBlitz Codeflow. |
I will try to take a close look at this PR later. It is quite easy to mess CSP things up in a way that CSP does little for actual security, so it is preferable that CSP is not messed up in vite |
/ecosystem-ci run |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
📝 Ran ecosystem CI on
✅ analogjs, astro, histoire, ladle, laravel, marko, nuxt, previewjs, qwik, rakkas, sveltekit, unocss, vike, vite-plugin-pwa, vite-plugin-react, vite-plugin-react-pages, vite-plugin-react-swc, vite-plugin-svelte, vite-setup-catalogue, vitepress, vitest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome! The implementation looks great to me. I guess my only nit is about patak's comment.
Description
This PR is updated version of #14653 with changes that was discussed in the team meeting. In that meeting, we discussed that writing nonce placeholder in every script/style/link tag is time consuming. Given that the nonce placeholder should be same even for different HTML files, we decided to make a new option for the nonce placeholder. I made a new PR as it was easier for me than rebasing the old one.
nonce
attribute with the value ofhtml.cspNonce
option to<script>
/<style>
/<link rel="stylesheet">
.meta[property=csp-nonce]
when injecting style tags that is generated by CSS imports in JS.nonce
attribute with the value ofhtml.cspNonce
option to<style>
.<script>
/<link rel="stylesheet">
/<link rel="modulepreload">
withnonce
attribute with the value ofhtml.cspNonce
option.meta[property=csp-nonce]
to injecting link tagsclose #9719
close #11862
superseds close #11864
superseds close #11958
Additional context
What is the purpose of this pull request?
Before submitting the PR, please make sure you do the following
fixes #123
).