Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: csp nonce support #16052

Merged
merged 15 commits into from
Mar 13, 2024
Merged

feat: csp nonce support #16052

merged 15 commits into from
Mar 13, 2024

Conversation

sapphi-red
Copy link
Member

@sapphi-red sapphi-red commented Feb 28, 2024

Description

This PR is updated version of #14653 with changes that was discussed in the team meeting. In that meeting, we discussed that writing nonce placeholder in every script/style/link tag is time consuming. Given that the nonce placeholder should be same even for different HTML files, we decided to make a new option for the nonce placeholder. I made a new PR as it was easier for me than rebasing the old one.

  • In dev,
    • Vite will inject nonce attribute with the value of html.cspNonce option to <script>/<style>/<link rel="stylesheet">.
    • Vite will use the nonce value of meta[property=csp-nonce] when injecting style tags that is generated by CSS imports in JS.
  • In build
    • Vite will inject nonce attribute with the value of html.cspNonce option to <style>.
    • Vite will generate <script>/<link rel="stylesheet">/<link rel="modulepreload"> with nonce attribute with the value of html.cspNonce option.
    • The preload function will use the nonce value of meta[property=csp-nonce] to injecting link tags

close #9719
close #11862
superseds close #11864
superseds close #11958

Additional context


What is the purpose of this pull request?

  • Bug fix
  • New Feature
  • Documentation update
  • Other

Before submitting the PR, please make sure you do the following

  • Read the Contributing Guidelines, especially the Pull Request Guidelines.
  • Check that there isn't already a PR that solves the problem the same way to avoid creating a duplicate.
  • Provide a description in this PR that addresses what the PR is solving, or reference the issue that it solves (e.g. fixes #123).
  • Update the corresponding documentation if needed.
  • Ideally, include relevant tests that fail without this PR but pass with it.

@sapphi-red sapphi-red added the enhancement New feature or request label Feb 28, 2024
Copy link

stackblitz bot commented Feb 28, 2024

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@sapphi-red sapphi-red mentioned this pull request Feb 28, 2024
12 tasks
@sapphi-red sapphi-red added the p2-to-be-discussed Enhancement under consideration (priority) label Feb 28, 2024
@schamberg97
Copy link

I will try to take a close look at this PR later. It is quite easy to mess CSP things up in a way that CSP does little for actual security, so it is preferable that CSP is not messed up in vite

@sapphi-red sapphi-red marked this pull request as ready for review February 29, 2024 08:15
@sapphi-red
Copy link
Member Author

/ecosystem-ci run

@vite-ecosystem-ci

This comment was marked as outdated.

@vite-ecosystem-ci

This comment was marked as outdated.

@vite-ecosystem-ci
Copy link

@patak-dev patak-dev added this to the 5.2 milestone Mar 5, 2024
Copy link
Member

@bluwy bluwy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! The implementation looks great to me. I guess my only nit is about patak's comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request p2-to-be-discussed Enhancement under consideration (priority)
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

Issue setting strict CSP in dev nonce tag in __vitePreload (CSP)
4 participants