kit icon indicating copy to clipboard operation
kit copied to clipboard
verified publisher icon sveltejs

SvelteKit won't build because scripts added in the head element with strict CSP use a nonce

Open LorenzoBloedow opened this issue 2 years ago • 5 comments

Describe the bug

Ok so basically I'm using strict CSP with kit.csp.mode set to "auto" and I added %sveltekit.nonce% to the nonce attribute of a <script> located in the <head> of app.html as instructed by the docs.

This causes the build to fail with the following error:

Error: Cannot use prerendering if page template contains %sveltekit.nonce%

Setting kit.csp.mode to "hash" is not an option since scripts in kit.csp.mode can only use a nonce. Also, I'm not aware if nonces are considered better than hashes, but they do seem more lightweight, so that's potentially another reason a developer would not want to set kit.csp.mode to hash.

The only solution is to either manually calculate the hash and add it to the CSP policy but obviously that's not a good idea because, when I tested, SvelteKit successfully compiles with the wrong hash, and all it would take is for one character to change in the script, the developer forgetting to change the hash, not noticing the error, and the result would be a pretty nasty bug in production. Or, as a workaround, you could disable prerendering entirely, which would be arguably even worse.

I think the solution here should be to either make SvelteKit use hashes for scripts in app.html, or to offer a %sveltekit.hash% placeholder, similar to %sveltekit.nonce%, thus giving the user more flexibility by being slightly less convenient.

I'm not sure whether this should be a bug report or a feature request, I ended up choosing to report it as a bug, sorry if it was the wrong choice.

Reproduction

To repro just run npm run build https://stackblitz.com/edit/sveltejs-kit-template-default-jntr65

Logs

No response

System Info

N/A (bug can be easily reproduced in StackBlitz and has nothing to do with the underlying environment)

Severity

serious, but I can work around it

Additional Information

No response

LorenzoBloedow avatar Aug 09 '23 02:08 LorenzoBloedow

It's deliberate:

When mode is 'auto', SvelteKit will use nonces for dynamically rendered pages and hashes for prerendered pages. Using nonces with prerendered pages is insecure and therefore forbidden.

https://github.com/sveltejs/kit/blob/737eb67aea8a29f891327856006ec6f25ad76f2b/packages/kit/src/runtime/server/page/render.js#L59

I couldn't find anything on why there are no hash's in the app template so I'll leave this open

ghostdevv avatar Aug 09 '23 11:08 ghostdevv

It's deliberate:

When mode is 'auto', SvelteKit will use nonces for dynamically rendered pages and hashes for prerendered pages. Using nonces with prerendered pages is insecure and therefore forbidden.

https://github.com/sveltejs/kit/blob/737eb67aea8a29f891327856006ec6f25ad76f2b/packages/kit/src/runtime/server/page/render.js#L59

I couldn't find anything on why there are no hash's in the app template so I'll leave this open

Yeah this probably should have been a feature request. In reality, the problem is not being able to use hashes in app.html

LorenzoBloedow avatar Aug 09 '23 13:08 LorenzoBloedow

@ghostdevv What's the workaround that you've come up with?

phoenisx avatar Dec 28 '23 03:12 phoenisx

I don't remember having one unfortunately

ghostdevv avatar Dec 28 '23 04:12 ghostdevv