import-meta-env icon indicating copy to clipboard operation
import-meta-env copied to clipboard
verified publisher icon runtime-env

Incompatible with strict Content-Security-Policy

Open jacquesg opened this issue 1 year ago • 1 comments

Currently using dynamic substitutions with the inline style tag:

    <script>
      globalThis.import_meta_env = JSON.parse('"import_meta_env_placeholder"');
    </script>

Unfortunately, this requires adding unsafe-inline as an option to the script-src value when using the Content-Security-Policy header.

Is there an alternative mechanism available, which would allow this code to reside in a "real" script?

jacquesg avatar Jun 27 '24 17:06 jacquesg

Hi, @jacquesg

Please try the other solution we made: https://github.com/runtime-env/runtime-env

Since the runtime-env's approach is to load a external script (same origin from your app) generated at runtime, it should works with script-src: self.

Thank you. 😃

soc221b avatar Jun 28 '24 11:06 soc221b