CSP meta `content` is escaped

bejamas / gatsby-plugin-csp

A Gatsby plugin which adds strict Content Security Policy to your project.

MIT License

38 stars 15 forks source link

CSP meta `content` is escaped #11

Open vcarl opened 5 years ago

vcarl commented 5 years ago

A production build puts the following in my head, as seen in curl:

<meta
  http-equiv="Content-Security-Policy"
  content="script-src &#x27;self&#x27; &#x27;sha256-<hash>&#x27; &#x27;<hash>&#x27;;"
/>

The 's are being escaped to ', which is breaking the CSP. It looks like createElement is escaping the HTML entities, so this meta tag might need to be constructed a different way.

vcarl commented 5 years ago

Been beating my head against this since opening the issue, am not sure what a fix is. I'm flat not able to get this package to work, I'm curious if there's a workaround I'm not seeing.

There's a confluence that makes this hard to fix: React doesn't support top-level dangerouslySetInnerHTML, and <meta> tags can't be nested within another tag. Drawing a blank on any other ways to ensure this property doesn't get escaped.

fhelipe-turati-appnovation commented 4 years ago

Hi, I'm getting the same issue with the ' in the ' ' place.... any news about this issue?