kit
kit copied to clipboard
sveltejs
Don't add `nonce` to `<link>` elements when CSP is enabled
Describe the bug
Currently, when nonce-based CSP is enabled in SvelteKit, the nonce attribute is added to <link> elements as well, but nonce is only applicable to <style> and <script>, according to the CS2 specification + the CSP3 specification. Unless I'm missing something, in which case please let me know.
This is what SvelteKit generates
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<link rel="icon" href="./favicon.png" />
<meta name="viewport" content="width=device-width" />
<link href="./_app/immutable/assets/_page-2347c82c.css" rel="stylesheet" nonce="u7VH06jH02YES86ylTAPmA==">
</head>
<body data-sveltekit-preload-data="hover">
<div style="display: contents">
<h1 class="svelte-bt9zrl">Welcome to SvelteKit</h1>
<p>Visit <a href="https://kit.svelte.dev">kit.svelte.dev</a> to read the documentation</p>
<script type="module" data-sveltekit-hydrate="1j3ysyd" nonce="u7VH06jH02YES86ylTAPmA==">
import { start } from "./_app/immutable/start-c4a34443.js";
start({
env: {},
paths: {"base":"","assets":""},
target: document.querySelector('[data-sveltekit-hydrate="1j3ysyd"]').parentNode,
version: "1671235206427",
hydrate: {
node_ids: [0, 2],
data: [null,null],
form: null
}
});
</script>
</div>
</body>
</html>
Notice the nonce is also added to the <link> element above. But that has no effect and isn't correct.
Reproduction
N/A
Logs
No response
System Info
System:
OS: Linux 5.10 Ubuntu 22.04.1 LTS 22.04.1 LTS (Jammy Jellyfish)
CPU: (4) x64 Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz
Memory: 3.45 GB / 3.84 GB
Container: Yes
Shell: 5.8.1 - /bin/zsh
Binaries:
Node: 18.12.1 - /usr/bin/node
npm: 8.19.2 - /usr/bin/npm
npmPackages:
@sveltejs/adapter-auto: ^1.0.0 => 1.0.0
@sveltejs/adapter-node: ^1.0.0 => 1.0.0
@sveltejs/kit: ^1.0.0 => 1.0.1
svelte: ^3.54.0 => 3.55.0
vite: ^4.0.0 => 4.0.1
Severity
annoyance
Additional Information
No response
