From e48caf8b69b3f486056ff5e80b247d0832baca5f Mon Sep 17 00:00:00 2001 From: sapphi-red <49056869+sapphi-red@users.noreply.github.com> Date: Tue, 21 Nov 2023 20:51:20 +0900 Subject: [PATCH 1/2] docs(legacy): clarify that csp hashes could change between minors --- packages/plugin-legacy/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/plugin-legacy/README.md b/packages/plugin-legacy/README.md index c2cfa4c45ef659..ad426a1f803d19 100644 --- a/packages/plugin-legacy/README.md +++ b/packages/plugin-legacy/README.md @@ -163,6 +163,8 @@ The legacy plugin requires inline scripts for [Safari 10.1 `nomodule` fix](https Run `node --input-type=module -e "import {cspHashes} from '@vitejs/plugin-legacy'; console.log(cspHashes.map(h => 'sha256-'+h))"` to retrieve the value. --> +Note that these values could change between minor versions. If you rely on these values, we recommend pinning the minor version using `~`. + These values (without the `sha256-` prefix) can also be retrieved via ```js From 75db1f1e2cb42c54843b45ce27ec1b531df6174e Mon Sep 17 00:00:00 2001 From: sapphi-red <49056869+sapphi-red@users.noreply.github.com> Date: Tue, 21 Nov 2023 21:15:31 +0900 Subject: [PATCH 2/2] docs: recommend using exported variable --- packages/plugin-legacy/README.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/packages/plugin-legacy/README.md b/packages/plugin-legacy/README.md index ad426a1f803d19..02790e48a387e9 100644 --- a/packages/plugin-legacy/README.md +++ b/packages/plugin-legacy/README.md @@ -152,7 +152,15 @@ export default { ## Content Security Policy -The legacy plugin requires inline scripts for [Safari 10.1 `nomodule` fix](https://gist.github.com/samthor/64b114e4a4f539915a95b91ffd340acc), SystemJS initialization, and dynamic import fallback. If you have a strict CSP policy requirement, you will need to [add the corresponding hashes to your `script-src` list](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script): +The legacy plugin requires inline scripts for [Safari 10.1 `nomodule` fix](https://gist.github.com/samthor/64b114e4a4f539915a95b91ffd340acc), SystemJS initialization, and dynamic import fallback. If you have a strict CSP policy requirement, you will need to [add the corresponding hashes to your `script-src` list](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script). + +The hash values (without the `sha256-` prefix) can be retrieved via: + +```js +import { cspHashes } from '@vitejs/plugin-legacy' +``` + +The current values are: - `sha256-MS6/3FCg4WjP9gwgaBGwLpRCY6fZBgwmhVCdrPrNf3E=` - `sha256-tQjf8gvb2ROOMapIxFvFAYBeUJ0v1HCbOcSmDNXGtDo=` @@ -163,13 +171,7 @@ The legacy plugin requires inline scripts for [Safari 10.1 `nomodule` fix](https Run `node --input-type=module -e "import {cspHashes} from '@vitejs/plugin-legacy'; console.log(cspHashes.map(h => 'sha256-'+h))"` to retrieve the value. --> -Note that these values could change between minor versions. If you rely on these values, we recommend pinning the minor version using `~`. - -These values (without the `sha256-` prefix) can also be retrieved via - -```js -import { cspHashes } from '@vitejs/plugin-legacy' -``` +Note that these values could change between minor versions. Thus, we recommend generating the CSP header from the exported `cspHashes` variable. If you copy the values manually, then you should pin the minor version using `~`. When using the `regenerator-runtime` polyfill, it will attempt to use the `globalThis` object to register itself. If `globalThis` is not available (it is [fairly new](https://caniuse.com/?search=globalThis) and not widely supported, including IE 11), it attempts to perform dynamic `Function(...)` call which violates the CSP. To avoid dynamic `eval` in the absence of `globalThis` consider adding `core-js/proposals/global-this` to `additionalLegacyPolyfills` to define it.