DioxusLabs
Don't use inline scripts and function constructor
This allows a stricter Content-Security-Policy which is required for web extensions.
Related https://github.com/DioxusLabs/dioxus/issues/3866 https://github.com/DioxusLabs/dioxus/issues/808 and possibly https://github.com/DioxusLabs/dioxus/issues/1484
https://github.com/DioxusLabs/dioxus/blob/f610c6b8c11bc0f9ef52936d2830d41e66b2f3f4/packages/web/src/document.rs#L171 is the problematic line of code
I don't think this will work with fullstack streaming like the suspense-carousel playwright test. We need the script to start running before the html is fully loaded which is why we are using an inline script tag to start the wasm. I think we can set a nonce for the inline script or add the hash of inline script contents to the CSP instead
I don't think this will work with fullstack streaming like the
suspense-carouselplaywright test. We need the script to start running before the html is fully loaded which is why we are using an inline script tag to start the wasm. I think we can set a nonce for the inline script to allow stricter CSPs
That would not work for web extensions (Reading manifest: Error processing content_security_policy.extension_pages: ‘script-src’ directive contains a forbidden 'nonce-*' keyword) but now I understand why the script needs to start running before the html is fully loaded.
It seems that loading the module script asynchronously is possible and seems to pass the test.
CI failures are unrelated dependency issues I'm working on fixing them in https://github.com/DioxusLabs/dioxus/pull/4312
Should be ready but I have not tested this yet and don't have more time today.