New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(cspNonce): don't overwrite existing nonce values #16415
Conversation
Run & review this pull request in StackBlitz Codeflow. |
@sapphi-red as a side-note, do you remember why It caught me off guard when looking at this that |
While I was working on #16052, I was thinking hard about what tags should have the nonce attribute injected. The first idea was to only inject tags that cannot be achieved by chaning the input HTML (e.g. On second thought, I think it makes sense to go with the second idea. Vite already injects the nonce to |
Thanks for confirming. I can add a commit to do that to this PR if you think that would be reasonable. |
I would appreciate it if you could create another PR that cherry-picks that commit. |
80795cc
to
76b0efb
Compare
Thanks for the review. Feedback has been addressed and I have split the adding of nonce to <style> tags into its own PR |
5822b89
to
259ba21
Compare
/ecosystem-ci run |
📝 Ran ecosystem CI on
✅ analogjs, astro, histoire, ladle, laravel, marko, previewjs, quasar, qwik, rakkas, remix, sveltekit, unocss, vike, vite-plugin-pwa, vite-plugin-react, vite-plugin-react-pages, vite-plugin-react-swc, vite-plugin-svelte, vite-plugin-vue, vite-setup-catalogue, vitepress, vitest |
## 5.2.11 (2024-05-02) * feat: improve dynamic import variable failure error message (#16519) ([f8feeea](vitejs/vite@f8feeea)), closes [#16519](vitejs/vite#16519) * fix: dynamic-import-vars plugin normalize path issue (#16518) ([f71ba5b](vitejs/vite@f71ba5b)), closes [#16518](vitejs/vite#16518) * fix: scripts and styles were missing from built HTML on Windows (#16421) ([0e93f58](vitejs/vite@0e93f58)), closes [#16421](vitejs/vite#16421) * fix(deps): update all non-major dependencies (#16488) ([2d50be2](vitejs/vite@2d50be2)), closes [#16488](vitejs/vite#16488) * fix(deps): update all non-major dependencies (#16549) ([2d6a13b](vitejs/vite@2d6a13b)), closes [#16549](vitejs/vite#16549) * fix(dev): watch publicDir explicitly to include it outside the root (#16502) ([4d83eb5](vitejs/vite@4d83eb5)), closes [#16502](vitejs/vite#16502) * fix(preload): skip preload for non-static urls (#16556) ([bb79c9b](vitejs/vite@bb79c9b)), closes [#16556](vitejs/vite#16556) * fix(ssr): handle class declaration and expression name scoping (#16569) ([c071eb3](vitejs/vite@c071eb3)), closes [#16569](vitejs/vite#16569) * fix(ssr): handle function expression name scoping (#16563) ([02db947](vitejs/vite@02db947)), closes [#16563](vitejs/vite#16563) ## 5.2.10 (2024-04-20) * revert: perf: use workspace root for fs cache (#15712) (#16476) ([77e7359](vitejs/vite@77e7359)), closes [#15712](vitejs/vite#15712) [#16476](vitejs/vite#16476) * fix: add base to virtual html (#16442) ([721f94d](vitejs/vite@721f94d)), closes [#16442](vitejs/vite#16442) * fix: adjust esm syntax judgment logic (#16436) ([af72eab](vitejs/vite@af72eab)), closes [#16436](vitejs/vite#16436) * fix: don't add outDirs to watch.ignored if emptyOutDir is false (#16453) ([6a127d6](vitejs/vite@6a127d6)), closes [#16453](vitejs/vite#16453) * fix(cspNonce): don't overwrite existing nonce values (#16415) ([b872635](vitejs/vite@b872635)), closes [#16415](vitejs/vite#16415) * feat: show warning if root is in build.outDir (#16454) ([11444dc](vitejs/vite@11444dc)), closes [#16454](vitejs/vite#16454) * feat: write cspNonce to style tags (#16419) ([8e54bbd](vitejs/vite@8e54bbd)), closes [#16419](vitejs/vite#16419) * chore(deps): update dependency eslint-plugin-n to v17 (#16381) ([6cccef7](vitejs/vite@6cccef7)), closes [#16381](vitejs/vite#16381)
## 5.2.11 (2024-05-02) * feat: improve dynamic import variable failure error message (#16519) ([f8feeea](vitejs/vite@f8feeea)), closes [#16519](vitejs/vite#16519) * fix: dynamic-import-vars plugin normalize path issue (#16518) ([f71ba5b](vitejs/vite@f71ba5b)), closes [#16518](vitejs/vite#16518) * fix: scripts and styles were missing from built HTML on Windows (#16421) ([0e93f58](vitejs/vite@0e93f58)), closes [#16421](vitejs/vite#16421) * fix(deps): update all non-major dependencies (#16488) ([2d50be2](vitejs/vite@2d50be2)), closes [#16488](vitejs/vite#16488) * fix(deps): update all non-major dependencies (#16549) ([2d6a13b](vitejs/vite@2d6a13b)), closes [#16549](vitejs/vite#16549) * fix(dev): watch publicDir explicitly to include it outside the root (#16502) ([4d83eb5](vitejs/vite@4d83eb5)), closes [#16502](vitejs/vite#16502) * fix(preload): skip preload for non-static urls (#16556) ([bb79c9b](vitejs/vite@bb79c9b)), closes [#16556](vitejs/vite#16556) * fix(ssr): handle class declaration and expression name scoping (#16569) ([c071eb3](vitejs/vite@c071eb3)), closes [#16569](vitejs/vite#16569) * fix(ssr): handle function expression name scoping (#16563) ([02db947](vitejs/vite@02db947)), closes [#16563](vitejs/vite#16563) ## 5.2.10 (2024-04-20) * revert: perf: use workspace root for fs cache (#15712) (#16476) ([77e7359](vitejs/vite@77e7359)), closes [#15712](vitejs/vite#15712) [#16476](vitejs/vite#16476) * fix: add base to virtual html (#16442) ([721f94d](vitejs/vite@721f94d)), closes [#16442](vitejs/vite#16442) * fix: adjust esm syntax judgment logic (#16436) ([af72eab](vitejs/vite@af72eab)), closes [#16436](vitejs/vite#16436) * fix: don't add outDirs to watch.ignored if emptyOutDir is false (#16453) ([6a127d6](vitejs/vite@6a127d6)), closes [#16453](vitejs/vite#16453) * fix(cspNonce): don't overwrite existing nonce values (#16415) ([b872635](vitejs/vite@b872635)), closes [#16415](vitejs/vite#16415) * feat: show warning if root is in build.outDir (#16454) ([11444dc](vitejs/vite@11444dc)), closes [#16454](vitejs/vite#16454) * feat: write cspNonce to style tags (#16419) ([8e54bbd](vitejs/vite@8e54bbd)), closes [#16419](vitejs/vite#16419) * chore(deps): update dependency eslint-plugin-n to v17 (#16381) ([6cccef7](vitejs/vite@6cccef7)), closes [#16381](vitejs/vite#16381)
Fixes: #16414
Description
With this change, we now verify that the nonce attribute doesn't already exist on the tag prior to injecting the nonce value.