Open Rich-Harris opened 2 years ago
I'm not surprised you didn't get it to work at all in Firefox, at least when using hashes.
strict-dynamic
is kind of patchy in browsers, as evidenced by that bug, but from what I've tested there should be no real issues (from the browser side) when using nonces.
The Firefox bug mentioned here has (finally) seen movement. 116 Nightly now has support for CSP hashes for remote scripts.
I just tested strict-dynamic
(context) and it actually seems to be working just fine (although I'm only using nonces); is there really anything that needs to be done still? Am I missing something?
@aradalvand It works with nonces, but at least for me it still doesn't work with hashes.
@Rich-Harris were you able to find a workaround for this?
Describe the problem
SvelteKit doesn't really work with
strict-dynamic
CSP, at least not when using hashes. There seem to be some non-intuitive requirements (you have to usemodulepreload
?), and I haven't been able to get it to work at all in Firefox, so I more or less gave up on it in #3499.Describe the proposed solution
Err, not sure. But this...
...needs to work in dev and prod somehow.
Alternatives considered
No response
Importance
nice to have
Additional Information
No response