Streaming disables CSP silently #11801
Comments
|
Pretty sure i just ran into this too, looking at the code generated (at least for the cloudflare adapter) it doesn't use the headers object that it adds the csp header (among other things) to Here the |
0x221A
added a commit
to 0x221A/kit
that referenced
this issue
Jun 29, 2024
0x221A
added a commit
to 0x221A/kit
that referenced
this issue
Jun 29, 2024
0x221A
added a commit
to 0x221A/kit
that referenced
this issue
Jun 29, 2024
6 tasks
0x221A
added a commit
to 0x221A/kit
that referenced
this issue
Jun 30, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Using streaming disables the "built in" CSP support and this is not documented clearly (reading both the CSP and streaming doc). The workaround is to use my own CSP in a handle hook, but to support streaming I have to add
script-src: 'unsafe-inline'which is undesirable. I was not able to find the nonce in the handle hook that is referenced in the doc.Reproduction
https://github.com/vegardok/sveltekit-csp-and-streaming/commits/main/
Logs
No response
System Info
System: OS: macOS 14.3 CPU: (10) arm64 Apple M2 Pro Memory: 295.05 MB / 16.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 20.9.0 - ~/.nvm/versions/node/v20.9.0/bin/node npm: 10.1.0 - ~/.nvm/versions/node/v20.9.0/bin/npm pnpm: 8.14.0 - ~/.nvm/versions/node/v20.9.0/bin/pnpm Browsers: Chrome: 121.0.6167.85 Safari: 17.3 npmPackages: @sveltejs/adapter-auto: ^3.0.0 => 3.1.1 @sveltejs/kit: ^2.0.0 => 2.5.0 @sveltejs/vite-plugin-svelte: ^3.0.0 => 3.0.2 svelte: ^4.2.7 => 4.2.9 vite: ^5.0.3 => 5.0.12Severity
serious, but I can work around it
Additional Information
No response
The text was updated successfully, but these errors were encountered: