-
-
Notifications
You must be signed in to change notification settings - Fork 6.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue setting strict CSP in dev #11862
Comments
I think this may be the exact issue I have been experiencing, as described/asked about over on the spatie/laravel-csp package discussion... spatie/laravel-csp#101 hopefully this will be merged in soon, as this holds us back from fully implementing a good content policy that we don't have to disable when developing locally :/ |
Having the same issue here too. |
Technically you can drop |
So it is still not fixed - a strict CSP using @Vite and Laravel? Has anyone done it? I can not find an answer/example anywhere. So I suggest do not waste your time (3 days now for me) apparently it is a very complex coding issue, and I mean that honestly. I love Laravel, Tailwind CSS, and OMG I love Spatie-CSP and would like to use Livewire. So this is what you do. Do NOT install Laravel JetStream it is too integrated with @Vite now. Create a new Laravel project. Install Fortify (brings in Sanctum as well). Install TailwindCSS. Then install Livewire which uses AlpineJS. Then use route level/group binding with multiple CSP headers as provided by Spatie. And after the guest has authenticated, give them the option to use Livewire reactivity which BREAKS a strict CSP. So a "MANAGER" has Livewire access but a visitor/guest does not. I am not waiting until a framework is built specifically for a strict CSP. |
This is solvable through plugins, albeit it's frightening that Vite devs are unable to offer any solution to this question. export default defineConfig(({ mode }) => {
// something
const viteClientRegex = /node_modules\/vite\/dist\/client\/client\.mjs$/gi;
// regex'es to add CSP
// TODO: make one normal regex to handle all three
const regexScript = /<script(.*?)/gi;
const replacementScript = `<script nonce="${nonce}"$1`;
const regexStyle = /<style(.*?)/gi;
const replacementStyle = `<style nonce="${nonce}"$1`;
const regexLink = /<link(.*?)/gi;
const replacementLink = `<link nonce="${nonce}"$1`;
const nonce = mode === "development" ? "nonce" : "{SERVER-GENERATED-NONCE}";
return {
plugins: [
{
name: "transform-file",
transform(src, id) {
if (viteClientRegex.test(id)) {
return {
code: src.replace(
"style.setAttribute('data-vite-dev-id', id);",
`style.setAttribute('data-vite-dev-id', id); style.setAttribute('nonce', '${nonce.toString()}');`
),
};
}
},
},
{
name: "html-inject-nonce-into-script-tag",
enforce: "post",
transformIndexHtml(html) {
return html
.replace(regexScript, replacementScript)
.replace(regexStyle, replacementStyle)
.replace(regexLink, replacementLink);
},
},
],
};
}); @gitRup-ca @justin-tay FYI. You should mostly be interested in the first plugin If someone decides to make a plugin on NPM from this, I'd be grateful if you credit me (have no time ATM to package it all properly) |
@sapphi-red / @patak-dev - quick clarification on this: the mentioned issue solves this using a nonce, which is not suitable for generated / static applications. Are there any plans to implement support for these kinds of applications using hashes? |
Describe the bug
I am trying to set a strict CSP in dev so that developers don't inadvertently introduce changes that will break the application in production where a strict CSP is applied.
In this case the CSP avoids setting
unsafe-inline
forstyle-src
Content-Security-Policy: style-src 'nonce-random' 'self'
etcWhen running in dev
client.ts
in Chrome the following errors are seen in consoleRefused to apply inline style because it violates the following Content Security Policy directive: "style-src 'nonce-random' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-J+3YsBcGEYMOe4DwBHZqef/THcqobccvabWv1wEouI4='), or a nonce ('nonce-...') is required to enable inline execution.
updateStyle | @ | client.ts:377
I will try to submit a PR for this issue. Since unlike webpack there is no convention of where to take the nonce value from like in
window.__webpack_nonce__
I will likely get it from a meta tag like marco-prontera/vite-plugin-css-injected-by-js#64Reproduction
https://github.com/justin-tay/vite-csp-issue.git
Steps to reproduce
Configure
vite.config.ts
with a strict CSP that disallows unsafe inline for style-srcRun
npm run dev
System Info
Used Package Manager
npm
Logs
No response
Validations
The text was updated successfully, but these errors were encountered: