run icon indicating copy to clipboard operation
run copied to clipboard

Published 20 hours ago verified publisher icon marko-js

Autogenerate CSP hashes for static adapter

Open DylanPiercey opened this issue 11 months ago • 1 comments

Explore automatically replacing csp nonces with content hashes and an inline meta http-equiv tag (eg https://www.isaacsmith.us/blog/2022/add-csp-to-github-pages) when the static adapter is used.

This would allow csp nonce in ssr builds while still having a stricter csp in static builds.

DylanPiercey avatar Dec 30 '24 16:12 DylanPiercey

I'd like to call out a peculiar performance bug in chromium related to the meta CSP tag. The presence of a meta CSP tag disables the browser's preload scanner. Fortunately, this appears to be getting fixed soon.

The CSP meta tag can be a perf footgun in other ways. If, for any reason, a script tag exists before a meta CSP tag, browsers will disable the preload scanner. I'm struggling to find strong references to this behavior, but it is mentioned here by a DevRel at Google who strongly discourages the meta CSP altogether: https://rviscomi.dev/2023/07/you-probably-dont-need-http-equiv-meta-tags/#content-security-policy

Other references:

  • https://issues.chromium.org/issues/40070749
  • https://stackoverflow.com/questions/78114535/content-security-policy-meta-tag-preventing-preload-scanner-to-work-properly-in

caseycarroll avatar Jan 13 '25 03:01 caseycarroll