Skip to content
This repository has been archived by the owner on Jan 11, 2023. It is now read-only.

CSP Violation Fixes for script-src "Webpack" #1395

Merged
merged 4 commits into from
Aug 14, 2020
Merged

CSP Violation Fixes for script-src "Webpack" #1395

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b365726
CSP fix
fledgling-vish Aug 8, 2020
1f53187
Merge branch 'master' of github.com:sveltejs/sapper into contentsecpo…
fledgling-vish Aug 12, 2020
029815e
Spacing fix
fledgling-vish Aug 12, 2020
b739661
Removing nonce_attr from style & link
fledgling-vish Aug 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 4 additions & 4 deletions runtime/src/server/middleware/get_page_handler.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,9 @@ export function get_page_handler(
const file = [].concat(build_info.assets.main).filter(file => file && /\.js$/.test(file))[0];
const main = `${req.baseUrl}/client/${file}`;

// users can set a CSP nonce using res.locals.nonce
const nonce_attr = (res.locals && res.locals.nonce) ? ` nonce="${res.locals.nonce}"` : '';

if (build_info.bundler === 'rollup') {
if (build_info.legacy_assets) {
const legacy_main = `${req.baseUrl}/client/legacy/${build_info.legacy_assets.main}`;
Expand All @@ -315,7 +318,7 @@ export function get_page_handler(
script += `var s=document.createElement("script");try{new Function("if(0)import('')")();s.src="${main}";s.type="module";s.crossOrigin="use-credentials";}catch(e){s.src="${req.baseUrl}/client/shimport@${build_info.shimport}.js";s.setAttribute("data-main","${main}")}document.head.appendChild(s)`;
}
} else {
script += `</script><script src="${main}" defer>`;
script += `</script><script${nonce_attr} src="${main}" defer>`;
benmccann marked this conversation as resolved.
Show resolved Hide resolved
}

let styles: string;
Expand Down Expand Up @@ -343,9 +346,6 @@ export function get_page_handler(
styles = (css && css.code ? `<style>${css.code}</style>` : '');
}

// users can set a CSP nonce using res.locals.nonce
const nonce_attr = (res.locals && res.locals.nonce) ? ` nonce="${res.locals.nonce}"` : '';

const body = template()
.replace('%sapper.base%', () => `<base href="${req.baseUrl}/">`)
.replace('%sapper.scripts%', () => `<script${nonce_attr}>${script}</script>`)
Expand Down