Open andersekdahl opened 6 months ago
@andersekdahl how have you worked around it?
Edit: For anyone running into this, add this to your svelte.config.js
const config = {
csp: {
directives: {
// etc
'style-src': ['self', 'sha256-9OlNO0DNEeaVzHL4RZwCLsBHA8WBQ8toBp/4F5XV2nc='],
}
}
}
Describe the bug
When creating a new Sveltekit project from the demo template and configuring CSP rules that disallows inline styles you get a CSP violation on the #svelte-announcer element which is using inline styles without a nonce.
Reproduction
https://github.com/andersekdahl/svelte-csp-repro
npm run build && npm run preview
The only thing changed from the demo project is this commit: https://github.com/andersekdahl/svelte-csp-repro/commit/53ebe42cb1114a696e3bb49b6c67daf6c7bd8d72
Logs
No response
System Info
Severity
serious, but I can work around it
Additional Information
No response