Update sapper docs to conform with Helmet v4 #1361
Comments
It sounds to me like this is fixed in Helmet 4.1.0 based off the link above. Please let me know if that's wrong or there are still changes needed to the docs to demonstrate the latest version of Helmet |
Yes, Helmet 4.1.0 reintroduced functions for nonce generation, but there are more issues since it is way more strict. I just tried to make it work again, no chance. The docs need to adapted to at least set Other than that, I don't see the nonce being set in the DOM, just And this is my console output after having Some errors I can guess how to fix, others not. |
I think "Refused to apply the inline style" message would be fixed by #1232. I just did another pass at reviewing that one, so hopefully we can merge it soon The others look like they're mostly not things that Sapper controls. You might need #1249 for those. It seems like you'd run into these problems regardless of Helmet version. Are you okay if we leave this closed since there are already other issues tracking those problems? |
We can keep it closed, no problem! |
I was able to get CSP working after all the related issues were fixed and merged. I just wanted to leave my helmet configuration here, in case anyone doesn't have the time to figure this all out alone: app
.use(
helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
// Has to be unsafe-eval because %sapper.scripts% uses eval
// @ts-expect-error
scriptSrc: ["'self' 'unsafe-eval'", (_req, res) => `'nonce-${res.locals.nonce}'`],
// Has to be unsafe-inline currently, because svelte-awesome & svelte-image sets inline style
styleSrc: ["'self' 'unsafe-inline'"],
// data: needed for svelte-image placeholders and svelte-awesome icons
imgSrc: ["'self'", 'data:'],
// localhost:10000 needed by __sapper__ itself
connectSrc: ["'self'", 'http://localhost:10000'],
},
},
}),
compression({ threshold: 0 }),
sirv('static', { dev }),
sapper.middleware(),
) |
Hello @mhatvan |
Nope, Chromium only so far. |
Thanks for this, it really saved me a lot of headaches! |
A new major version of Helmet was released a couple days ago and the Sapper documentation about Content Security Policy needs to be adapted to it. One thing that changed for example is that "you can no longer use a function inside a directive, e.g. for nonce generation".
I was not able to set up a working nonce generation for my project to avoid CSP issues, there is also a recent issue that might be relevant: helmetjs/helmet#237
The text was updated successfully, but these errors were encountered: