Skip to content
This repository has been archived by the owner on Jan 11, 2023. It is now read-only.

CSP Violation Fixes for script-src "Webpack" #1395

Merged
merged 4 commits into from Aug 14, 2020
Merged

CSP Violation Fixes for script-src "Webpack" #1395

merged 4 commits into from Aug 14, 2020

Conversation

fledgling-vish
Copy link
Contributor

@fledgling-vish fledgling-vish commented Aug 12, 2020
edited

Before submitting the PR, please make sure you do the following

  • It's really useful if your PR relates to an outstanding issue, so please reference it in your PR, or create an explanatory one for discussion. In many cases features are absent for a reason.
  • This message body should clearly illustrate what problems it solves. If there are related issues, remember to reference them.
    'nonce-{nonce}' in CSP header for script-src prevents execution of main file because of the absence of nonce attribute.
  • Ideally, include a test that fails without this PR but passes with it. PRs will only be merged once they pass CI. (Remember to npm run lint!)

Tests

  • Run the tests tests with npm test or yarn test)

@fledgling-vish fledgling-vish changed the title Contentsecpolicy CSP Violation Fixes Aug 12, 2020
@benmccann
Copy link
Member

benmccann commented Aug 12, 2020
edited

Also related is #1232

@fledgling-vish fledgling-vish changed the title CSP Violation Fixes CSP Violation Fixes for script-src "Webpack" Aug 14, 2020
@fledgling-vish fledgling-vish marked this pull request as ready for review August 14, 2020 17:11
@fledgling-vish
Copy link
Contributor Author

@benmccann I have reduced the scope of this PR to just deal with srcipt-src. Fixing style-src is gonna take a lot of time at my end which I currently don't have.

@benmccann
Copy link
Member

This looks to me like it's going to generate <script${nonce_attr}></script><script${nonce_attr} src="${main}" defer></script>. It seems pretty hacky to have that empty script tag in there. Most of that is from before your PR, but if we're going to be touching this area I think it would be nice to do that small cleanup rather than just putting more code on top of it

@fledgling-vish
Copy link
Contributor Author

@benmccann I don't think an empty script tag will be added. I verified it as well. Attaching the screenshot below.
Screen Shot 2020-08-14 at 11 32 52 AM

@fledgling-vish
Copy link
Contributor Author

Line 296 can give you more context as well https://github.com/sveltejs/sapper/pull/1395/files#diff-9c713b090053bf2158dc7db4484fb401R296

benmccann
benmccann approved these changes Aug 14, 2020
View reviewed changes
Copy link
Member

@benmccann benmccann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the explanation! This looks okay to me

@benmccann benmccann merged commit 949a187 into sveltejs:master Aug 14, 2020
trmcnvn pushed a commit to metafy-gg/sapper that referenced this pull request Aug 15, 2020
@fledgling-vish @trmcnvn
Add CSP nonce support for Webpack scripts (sveltejs#1395)
ee415cc
@benmccann benmccann mentioned this pull request Aug 29, 2020
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@antony antony antony left review comments

@benmccann benmccann benmccann approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@fledgling-vish @benmccann @antony