Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: csp nonce support #16052

Merged
merged 15 commits into from
Mar 13, 2024
Merged

feat: csp nonce support #16052

merged 15 commits into from
Mar 13, 2024

Conversation

sapphi-red
Copy link
Member

@sapphi-red sapphi-red commented Feb 28, 2024
edited
Loading

Description

This PR is updated version of #14653 with changes that was discussed in the team meeting. In that meeting, we discussed that writing nonce placeholder in every script/style/link tag is time consuming. Given that the nonce placeholder should be same even for different HTML files, we decided to make a new option for the nonce placeholder. I made a new PR as it was easier for me than rebasing the old one.

  • In dev,
    • Vite will inject nonce attribute with the value of html.cspNonce option to <script>/<style>/<link rel="stylesheet">.
    • Vite will use the nonce value of meta[property=csp-nonce] when injecting style tags that is generated by CSS imports in JS.
  • In build
    • Vite will inject nonce attribute with the value of html.cspNonce option to <style>.
    • Vite will generate <script>/<link rel="stylesheet">/<link rel="modulepreload"> with nonce attribute with the value of html.cspNonce option.
    • The preload function will use the nonce value of meta[property=csp-nonce] to injecting link tags

close #9719
close #11862
superseds close #11864
superseds close #11958

Additional context

What is the purpose of this pull request?

  • Bug fix
  • New Feature
  • Documentation update
  • Other

Before submitting the PR, please make sure you do the following

  • Read the Contributing Guidelines, especially the Pull Request Guidelines.
  • Check that there isn't already a PR that solves the problem the same way to avoid creating a duplicate.
  • Provide a description in this PR that addresses what the PR is solving, or reference the issue that it solves (e.g. fixes #123).
  • Update the corresponding documentation if needed.
  • Ideally, include relevant tests that fail without this PR but pass with it.

@sapphi-red sapphi-red added the enhancement New feature or request label Feb 28, 2024
@stackblitz StackBlitz
Copy link

stackblitz bot commented Feb 28, 2024

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@sapphi-red sapphi-red mentioned this pull request Feb 28, 2024
Closed
12 tasks
@sapphi-red sapphi-red added the p2-to-be-discussed Enhancement under consideration (priority) label Feb 28, 2024
@schamberg97
Copy link

I will try to take a close look at this PR later. It is quite easy to mess CSP things up in a way that CSP does little for actual security, so it is preferable that CSP is not messed up in vite

@sapphi-red sapphi-red marked this pull request as ready for review February 29, 2024 08:15
@sapphi-red
Copy link
Member Author

/ecosystem-ci run

@vite-ecosystem-ci

This comment was marked as outdated.

Sign in to view
@vite-ecosystem-ci

This comment was marked as outdated.

Sign in to view
@vite-ecosystem-ci
Copy link

📝 Ran ecosystem CI on c11ab0f: Open

suite result latest scheduled
nx failure failure
vite-plugin-vue success failure

analogjs, astro, histoire, ladle, laravel, marko, nuxt, previewjs, qwik, rakkas, sveltekit, unocss, vike, vite-plugin-pwa, vite-plugin-react, vite-plugin-react-pages, vite-plugin-react-swc, vite-plugin-svelte, vite-setup-catalogue, vitepress, vitest

@patak-dev patak-dev added this to the 5.2 milestone Mar 5, 2024
bluwy
bluwy reviewed Mar 12, 2024
View reviewed changes
Copy link
Member

@bluwy bluwy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! The implementation looks great to me. I guess my only nit is about patak's comment.

@patak-dev patak-dev merged commit 1d5eec4 into vitejs:main Mar 13, 2024
10 checks passed
@sapphi-red sapphi-red deleted the feat/csp-support-2 branch March 14, 2024 01:04
@gregtwallace gregtwallace mentioned this pull request Mar 26, 2024
Closed
7 tasks
@mishraomp mishraomp mentioned this pull request Mar 31, 2024
Merged
@sapphi-red sapphi-red mentioned this pull request Apr 13, 2024
Merged
@thebanjomatic thebanjomatic mentioned this pull request Apr 13, 2024
Merged
@TylerWanta TylerWanta mentioned this pull request May 22, 2024
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bluwy bluwy bluwy left review comments

@patak-dev patak-dev patak-dev approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request p2-to-be-discussed Enhancement under consideration (priority)
Projects
Team Board
Archived in project
Milestone
5.2
Development

Successfully merging this pull request may close these issues.

Issue setting strict CSP in dev nonce tag in __vitePreload (CSP)
4 participants
@sapphi-red @schamberg97 @patak-dev @bluwy