As of today, Astro-Shield always adds the 'self'source to avoid potential problems with static imports present inside loaded scripts.
Although this is not dangerous, it is arguably less safe than just adding the hashes of the specific resources that will be loaded, and it is not always necessary (loaded scripts not always have static imports inside them, which is the only reason to add the selfsource).
My proposal is to detect when those import statements are present in the loaded scripts, and then add the selfsource only in those cases.
As of today, Astro-Shield always adds the
'self'source to avoid potential problems with static imports present inside loaded scripts.Although this is not dangerous, it is arguably less safe than just adding the hashes of the specific resources that will be loaded, and it is not always necessary (loaded scripts not always have static imports inside them, which is the only reason to add the
selfsource).My proposal is to detect when those
importstatements are present in the loaded scripts, and then add theselfsource only in those cases.