kit svelte prerendered site not working with CSP script-src 'self'

svelte prerendered site not working with CSP script-src 'self'

Open marciovalim opened this issue 2 years ago • 1 comments

Describe the bug

Captura de Tela 2023-03-23 às 13 30 08

Since a dynamic script is required for starting the app in the builded version, it is not possible to configure CSP header script-src as 'self'.

Reproduction

Set CSP script-src as 'self' and build a prerendered site

Logs

No response

System Info

System:
    OS: macOS 13.0
    CPU: (8) arm64 Apple M1
    Memory: 153.11 MB / 16.00 GB
    Shell: 5.8.1 - /bin/zsh
  Binaries:
    Node: 16.17.0 - ~/.nvm/versions/node/v16.17.0/bin/node
    Yarn: 1.22.17 - /opt/homebrew/bin/yarn
    npm: 8.15.0 - ~/.nvm/versions/node/v16.17.0/bin/npm
  Browsers:
    Chrome: 111.0.5563.110
    Firefox: 111.0
    Safari: 16.1
  npmPackages:
    @sveltejs/adapter-auto: next => 1.0.0-next.91 
    @sveltejs/adapter-node: next => 1.0.0-next.106 
    @sveltejs/adapter-static: next => 1.0.0-next.50 
    @sveltejs/kit: next => 1.0.0-next.589 
    svelte: ^3.55.0 => 3.55.1 
    vite: ^4.0.1 => 4.1.1

Severity

blocking all usage of SvelteKit

Additional Information

No response

Mar 23 '23 16:03 marciovalim

I am wondering if this could be extracted to a separate script element. If yes, then it looks like a fairly easy pull request.

Aug 04 '24 13:08 notramo

kit kit copied to clipboard

svelte prerendered site not working with CSP script-src 'self'

Describe the bug

Reproduction

Logs

System Info

Severity

Additional Information

kit
kit copied to clipboard