Conversation
Looks like a nice idea, however this seems like something which could break sites if it were to be done incorrectly, so I think this PR is deserving of a test or two to ensure that the feature doesn't regress. |
I'd need some help to write tests for this - could you point me at a similar or example test? |
There are a bunch of integration tests in the |
Thanks, I've added a test. I can't run the tests locally though, I've a clean repo (apart from these changes) and I get,
any ideas? |
Hmmm. Can you open a new issue for that and include the output of |
@benmccann I've figured out the test failure, a stray Now fixed, with a test for the script nonce as well :) |
I believe the test cancellation (failure) is unrelated to this patch. |
@Conduitry I've fixed the issue, could you review? |
This is something that I would love to have implemented as well (I don't feel comfortable deploying an application with unsafe-inline set for anything). Does anybody have a status for this? Just waiting on @Conduitry? Thanks! |
I don't think the test failures are related to this change - only failed after the rebase. |
@pgjones there actually is a problem here. The same line of code is duplicated on lines 297 and 311. Can you remove the second one?
|
@benmccann ah yes - I've fixed that now. I don't understand why the tests no longer work though - I guess something has changed since I wrote them? |
I can't really think of anything that would make them fail. I think the version of Puppeteer and some dependencies were updated, so maybe that? Anyway, I'm not sure, but if you manage to fix the tests I'm happy to merge this when they're all passing |
@benmccann I think this commit bcb1c19 breaks this, how can |
That's the type, not the default though, right? There's been a lot that's changed there and it's certainly possible that something changed unintentionally there. I'm open to changing it back if you can find something like that |
Yep, sorry I'm not fully concentrating on this. I've taken another look, and I think I've now fixed everything (by setting the css option to undefined, which I think makes sense - although I don't understand why setting css to false in the svelte part doesn't work?). |
This follows on from e377515 which introduced a script nonce. The same nonce is now used for the inline styles, allowing a stronger CSP (nonce over unsafe-inline). This also includes a test for the existing script nonce.
ce71046
to
047b1c9
Compare
@benmccann excellent, I've removed the |
Thanks for your patience and sticking with it to see it through! |
🎉 thank you! |
This follows on from e377515 which introduced a script nonce. The same nonce is now used for the inline styles, allowing a stronger CSP (nonce over unsafe-inline).
Closes #1231