sveltejs / kit

web development, streamlined
https://svelte.dev/docs/kit
MIT License
18.72k stars 1.94k forks source link

`strict-dynamic` CSP support #3558

Open Rich-Harris opened 2 years ago

Rich-Harris commented 2 years ago

Describe the problem

SvelteKit doesn't really work with strict-dynamic CSP, at least not when using hashes. There seem to be some non-intuitive requirements (you have to use modulepreload?), and I haven't been able to get it to work at all in Firefox, so I more or less gave up on it in #3499.

Describe the proposed solution

Err, not sure. But this...

// svelte.config.js
export default {
  kit: {
    csp: {
      directives: {
        'default-src': ['strict-dynamic']
      }
    }
  }
};

...needs to work in dev and prod somehow.

Alternatives considered

No response

Importance

nice to have

Additional Information

No response

Karlinator commented 2 years ago

I'm not surprised you didn't get it to work at all in Firefox, at least when using hashes.

strict-dynamic is kind of patchy in browsers, as evidenced by that bug, but from what I've tested there should be no real issues (from the browser side) when using nonces.

Karlinator commented 1 year ago

The Firefox bug mentioned here has (finally) seen movement. 116 Nightly now has support for CSP hashes for remote scripts.

https://bugzilla.mozilla.org/show_bug.cgi?id=1409200

aradalvand commented 1 year ago

I just tested strict-dynamic (context) and it actually seems to be working just fine (although I'm only using nonces); is there really anything that needs to be done still? Am I missing something?

stephanabs commented 1 year ago

@aradalvand It works with nonces, but at least for me it still doesn't work with hashes.

@Rich-Harris were you able to find a workaround for this?