search

runtime-env / import-meta-env

Build once, deploy anywhere.
http://import-meta-env.org/
MIT License
245 stars 15 forks source link

Incompatible with strict Content-Security-Policy #1255

Open jacquesg opened 5 months ago

jacquesg commented 5 months ago

Currently using dynamic substitutions with the inline style tag:

    <script>
      globalThis.import_meta_env = JSON.parse('"import_meta_env_placeholder"');
    </script>

Unfortunately, this requires adding unsafe-inline as an option to the script-src value when using the Content-Security-Policy header.

Is there an alternative mechanism available, which would allow this code to reside in a "real" script?

soc221b commented 5 months ago

Hi, @jacquesg

Please try the other solution we made: https://github.com/runtime-env/runtime-env

Since the runtime-env's approach is to load a external script (same origin from your app) generated at runtime, it should works with script-src: self.

Thank you. 😃