search

ntsd / sveltekit-html-minifier

Sveltekit Adapter to Minify the preload HTML page
https://www.npmjs.com/package/sveltekit-html-minifier
MIT License
5 stars 1 forks source link

CSP hashes should be replaced if minifyCSS or minifyJS options are used #2

Open Cloudef opened 6 months ago

Cloudef commented 6 months ago

When using svelte with csp and html-minifier adapter with minifyCSS or minifyJS enabled, the hash of the inline styles and js scripts might change. The minifier should calculate the hash of the inline css / script before and after transformation and replace the hash in the CSP header with the new one.

Some other options may affect the contents of inline scripts and css, such as quoteCharacter and collapseWhitespace

ntsd commented 5 months ago

When using svelte with csp and html-minifier adapter with minifyCSS or minifyJS enabled, the hash of the inline styles and js scripts might change. The minifier should calculate the hash of the inline css / script before and after transformation and replace the hash in the CSP header with the new one.

Some other options may affect the contents of inline scripts and css, such as quoteCharacter and collapseWhitespace

the CSP (hash and nonce) is generated from this class

https://github.com/sveltejs/kit/blob/5596ee00a3b170c236dab3bb840a6bfb73a5a3ed/packages/kit/src/runtime/server/page/csp.js#L327

as I check it's only called by server.respond, not sure if it's only supported on SSR.

I think the best way to solve is not the adaptor but instead, add the HTML manify function in the SvelteKit.

Some hacky way to replace the hash might work. Or maybe move to minify before the main Adaptor but that will not include minify the inline CSS/JS.