[Feature/Security]: Convert inline manifest into separate file to improve CSP default settings #1263
Open
2 tasks done
Labels
enhancement
New feature or request
Comments
jceb
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Duplicates
Latest version
Summary 馃挕
The SSR (https://github.com/solidjs/solid-start/blob/main/packages/start/server/StartServer.tsx#L76) and SPA (https://github.com/solidjs/solid-start/blob/main/packages/start/server/spa/StartServer.tsx#L20) version use an inline script to define
window.manifest. This makes Content Security Policy more difficult implement and leads to the use of less safe deaults like:script-src 'unsafe-inline'.Furthermore, Chrome and Firefox don't allow browser extensions to use the CSP setting
script-src 'unsafe-inline'(https://developer.chrome.com/docs/extensions/reference/manifest/content-security-policy). Therefore, Solid start can't be used to build browser extensions at the moment.To work around this issue, the inline script should be converted into an external file that's imported.
Examples 馃寛
No response
Motivation 馃敠
No response
The text was updated successfully, but these errors were encountered: