Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: csp nonce in script-src-elem, style-src-attr and style-src-elem when using unsafe-inline #11613

Merged
merged 25 commits into from
Nov 13, 2024

Conversation

MathiasWP
Copy link
Contributor

@MathiasWP MathiasWP commented Jan 11, 2024

same implementation as #11575 for script-src-elem, style-src-attr and style-src-elem.

i also refactored the CSP code to make it less hairy


Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

  • Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

Copy link

changeset-bot bot commented Jan 11, 2024

🦋 Changeset detected

Latest commit: 8be42e1

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@MathiasWP MathiasWP changed the title fix csp nonce in script-src-elem, style-src-attr and style-src-elem when using unsafe-inline [security]: fix csp nonce in script-src-elem, style-src-attr and style-src-elem when using unsafe-inline Jan 11, 2024
@MathiasWP
Copy link
Contributor Author

Not sure why the tests fail, they work fine locally on my computer:

pnpm run --dir packages/kit test:cross-platform:dev:
Screenshot 2024-01-18 at 21 12 47

the specific test that fails in the CI:
Screenshot 2024-01-18 at 21 13 24

@eltigerchino
Copy link
Member

Just merged main in and re-ran the tests. They're passing now 👍🏼

@eltigerchino eltigerchino changed the title [security]: fix csp nonce in script-src-elem, style-src-attr and style-src-elem when using unsafe-inline fix: csp nonce in script-src-elem, style-src-attr and style-src-elem when using unsafe-inline Nov 12, 2024
@Rich-Harris
Copy link
Member

preview: https://svelte-dev-git-preview-kit-11613-svelte.vercel.app/

this is an automated message

Copy link
Member

@eltigerchino eltigerchino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@eltigerchino eltigerchino merged commit 6df00fc into sveltejs:main Nov 13, 2024
12 checks passed
@github-actions github-actions bot mentioned this pull request Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants