trunk
trunk copied to clipboard
trunk-rs
Avoiding inline script tag in built index.html
It would be great if it was possible to avoid having the
import init from '/index-....js';init('/index-..._bg.wasm');
part of the html in a separate file and load it as a module, similar to React's INLINE_RUNTIME_CHUNK=false
This is so allowing script-src 'unsafe-inline' can be avoided when setting Content Security Policy headers.
That's a good point. I gave this a try by just appending the init('....wasm'); call to the end of the index....js file and changing the HTML line to <script type="module" src="/index....js"></script>. That worked just fine, so I think we can implement it rather easy.
I think a good place for this setting would be the special HTML link:
<!DOCTYPE html>
<html lang="en">
<head>
<link data-trunk rel="rust" data-no-inline>
<!-- ^ new option here -->
</head>
<body>
</body>
</html>
If that is set, we simply append the call to the wasm-bindgen output (it updates the wasm file and generates the JS bindings file) and change the import statement in the output HTML. What do you think @thedodd ?
Is the additional attribute required? I'd argue that putting import ... in its own file and including that file from index.html could just be the default behaviour.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Since I care a great deal about proper CSP headers, I'm going to poke this to ward off the bot. If it's been fixed, let a human actively close it.
Since I care a great deal about proper CSP headers, I'm going to poke this to ward off the bot. If it's been fixed, let a human actively close it.
@ssokolow Honestly I am not sure what the state is. If you know more, maybe you could re-evaluate this. And of course: PRs welcome :)
