Skip to content

fix: support CSP for mts#1994

Merged
Sherry-hue merged 1 commit intolynx-family:mainfrom
PupilTong:p/hw/fix-csp
Dec 12, 2025
Merged

fix: support CSP for mts#1994
Sherry-hue merged 1 commit intolynx-family:mainfrom
PupilTong:p/hw/fix-csp

Conversation

@PupilTong
Copy link
Copy Markdown
Collaborator

@PupilTong PupilTong commented Dec 9, 2025
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Bug Fixes
    • Fixed Content Security Policy (CSP) support for mts environments.

✏️ Tip: You can customize this high-level summary in your review settings.

Checklist

  • Tests updated (or not required).
  • Documentation updated (or not required).
  • Changeset added, and when a BREAKING CHANGE occurs, it needs to be clearly marked (or not required).

@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Dec 9, 2025

🦋 Changeset detected

Latest commit: e56133a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 10 packages
Name Type
@lynx-js/web-core Patch
upgrade-rspeedy Patch
@lynx-js/web-rsbuild-server-middleware Patch
@lynx-js/web-core-server Patch
@lynx-js/web-constants Patch
@lynx-js/web-mainthread-apis Patch
@lynx-js/web-worker-rpc Patch
@lynx-js/web-worker-runtime Patch
@lynx-js/rspeedy Patch
create-rspeedy Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@PupilTong PupilTong self-assigned this Dec 9, 2025
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Dec 9, 2025
edited
Loading

📝 Walkthrough

Walkthrough

A new changeset documents a patch release for @lynx-js/web-core with CSP nonce support. The implementation extracts nonce values from existing script tags and propagates them to dynamically created script elements in the iframe realm, ensuring loaded scripts respect Content Security Policy directives.

Changes

Cohort / File(s) Summary
Changeset Documentation
.changeset/full-wombats-relate.md		 New changeset entry documenting patch version increment and fix for CSP nonce support
CSP Nonce Propagation
packages/web-platform/web-core/src/uiThread/createRenderAllOnUI.ts		 Extracts nonce from existing script tag and propagates it to dynamically created script elements in iframe loader to ensure CSP compliance

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

  • The nonce extraction and propagation logic is straightforward with minimal branching
  • Changes are focused and localized to a single implementation file
  • One file is a trivial changeset documentation entry

Possibly related PRs

Suggested labels

platform:Web

Suggested reviewers

  • Sherry-hue
  • colinaaa

Poem

🐰 A nonce hops through the script domain,
CSP policies now refrain,
From blocking frames with proper grace,
Security finds its rightful place! 🔐

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: adding CSP (Content Security Policy) support for mts through nonce propagation in script elements.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link
Copy Markdown

codecov bot commented Dec 9, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@codspeed-hq
Copy link
Copy Markdown

codspeed-hq bot commented Dec 9, 2025

CodSpeed Performance Report

Merging #1994 will not alter performance

Comparing PupilTong:p/hw/fix-csp (e56133a) with main (f7256d5)

Summary

✅ 63 untouched
⏩ 3 skipped1

Footnotes

  1. 3 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@relativeci
Copy link
Copy Markdown

relativeci bot commented Dec 9, 2025
edited
Loading

Web Explorer

#6581 Bundle Size — 372.99KiB (+0.02%).

e56133a(current) vs f7256d5 main#6568(baseline)

Bundle metrics  Change 3 changes Regression 1 regression
                 Current
#6581		      Baseline
#6568
Regression  Initial JS 146.41KiB(+0.06%) 146.32KiB
No change  Initial CSS 32.4KiB 32.4KiB
Change  Cache Invalidation 39.24% 48.3%
No change  Chunks 8 8
No change  Assets 8 8
Change  Modules 231(+0.43%) 230
No change  Duplicate Modules 16 16
No change  Duplicate Code 2.97% 2.97%
No change  Packages 4 4
No change  Duplicate Packages 0 0
Bundle size by type  Change 1 change Regression 1 regression
                 Current
#6581		      Baseline
#6568
Regression  JS 243.61KiB (+0.04%) 243.52KiB
No change  Other 96.98KiB 96.98KiB
No change  CSS 32.4KiB 32.4KiB

Bundle analysis reportBranch PupilTong:p/hw/fix-cspProject dashboard

Generated by RelativeCIDocumentationReport issue

@relativeci
Copy link
Copy Markdown

relativeci bot commented Dec 9, 2025
edited
Loading

React Example

#6421 Bundle Size — 236.9KiB (0%).

e56133a(current) vs f7256d5 main#6408(baseline)

Bundle metrics  no changes
                 Current
#6421		      Baseline
#6408
No change  Initial JS 0B 0B
No change  Initial CSS 0B 0B
No change  Cache Invalidation 0% 0%
No change  Chunks 0 0
No change  Assets 4 4
No change  Modules 162 162
No change  Duplicate Modules 65 65
No change  Duplicate Code 46.74% 46.74%
No change  Packages 2 2
No change  Duplicate Packages 0 0
Bundle size by type  no changes
                 Current
#6421		      Baseline
#6408
No change  IMG 145.76KiB 145.76KiB
No change  Other 91.14KiB 91.14KiB

Bundle analysis reportBranch PupilTong:p/hw/fix-cspProject dashboard

Generated by RelativeCIDocumentationReport issue

@PupilTong PupilTong requested a review from Sherry-hue December 10, 2025 05:04
@Sherry-hue Sherry-hue merged commit 12a98f7 into lynx-family:main Dec 12, 2025
81 of 86 checks passed
@github-actions github-actions bot mentioned this pull request Dec 12, 2025
Merged
colinaaa pushed a commit that referenced this pull request Dec 14, 2025
@github-actions
chore: Release 2025-12-12 10:03:11 (#1991)
4e17b0b 
This PR was opened by the [Changesets
release](https://github.com/changesets/action) GitHub action. When
you're ready to do a release, you can merge this and the packages will
be published to npm automatically. If you're not ready to do a release
yet, that's fine, whenever you add more changesets to main, this PR will
be updated.


# Releases
## @lynx-js/css-extract-webpack-plugin@0.7.0

### Minor Changes

- **BREAKING CHANGE**: Require `@lynx-js/template-webpack-plugin`
0.10.0. ([#1965](#1965))

- Merge all css chunk and generate a `.css.hot-update.json` file for
each bundle.
([#1965](#1965))

## @lynx-js/template-webpack-plugin@0.10.0

### Minor Changes

- Merge all css chunk and generate a `.css.hot-update.json` file for
each bundle.
([#1965](#1965))

## @lynx-js/react@0.115.1

### Patch Changes

- Auto define lynx.loadLazyBundle when using `import(/* relative path
*/)`. ([#1956](#1956))

- feat: support declaring cross-thread shared modules via Import
Attributes, enabling Main Thread Functions to call standard JS functions
directly. ([#1968](#1968))

- Usage: Add `with { runtime: "shared" }` to the `import` statement. For
example:

        ```ts
        import { func } from './utils.js' with { runtime: 'shared' };

        function worklet() {
          'main thread';
          func(); // callable inside a main thread function
        }
        ```

    -   Limitations:
- Only directly imported identifiers are treated as shared; assigning
the import to a new variable will result in the loss of this shared
capability.
- Functions defined within shared modules do not automatically become
Main Thread Functions. Accessing main-thread-only APIs (e.g.,
`MainThreadRef`) will cause errors.

## @lynx-js/rspeedy@0.12.2

### Patch Changes

- Bump Rsbuild v1.6.13 with Rspack v1.6.6.
([#1995](#1995))

-   Updated dependencies \[]:
    -   @lynx-js/web-rsbuild-server-middleware@0.19.1

## @lynx-js/react-rsbuild-plugin@0.12.1

### Patch Changes

- Avoid injecting hot update runtime when dev.hmr or dev.liveReload is
set to false.
([#1980](#1980))

- Updated dependencies
\[[`553ece1`](553ece1),
[`8cdb69d`](8cdb69d),
[`8cdb69d`](8cdb69d)]:
    -   @lynx-js/react-webpack-plugin@0.7.3
    -   @lynx-js/css-extract-webpack-plugin@0.7.0
    -   @lynx-js/template-webpack-plugin@0.10.0
    -   @lynx-js/react-alias-rsbuild-plugin@0.12.1
    -   @lynx-js/use-sync-external-store@1.5.0
    -   @lynx-js/react-refresh-webpack-plugin@0.3.4

## @lynx-js/web-constants@0.19.1

### Patch Changes

-   Updated dependencies \[]:
    -   @lynx-js/web-worker-rpc@0.19.1

## @lynx-js/web-core@0.19.1

### Patch Changes

- fix: support CSP for mts
([#1994](#1994))

- Updated dependencies
\[[`f7256d5`](f7256d5)]:
    -   @lynx-js/web-mainthread-apis@0.19.1
    -   @lynx-js/web-worker-runtime@0.19.1
    -   @lynx-js/web-constants@0.19.1
    -   @lynx-js/web-worker-rpc@0.19.1

## @lynx-js/web-mainthread-apis@0.19.1

### Patch Changes

- fix: fix reload lynx-view when `enableCSSSelector` false may cause css
style lost
([#1982](#1982))

-   Updated dependencies \[]:
    -   @lynx-js/web-constants@0.19.1

## @lynx-js/web-worker-runtime@0.19.1

### Patch Changes

- Updated dependencies
\[[`f7256d5`](f7256d5)]:
    -   @lynx-js/web-mainthread-apis@0.19.1
    -   @lynx-js/web-constants@0.19.1
    -   @lynx-js/web-worker-rpc@0.19.1

## @lynx-js/react-webpack-plugin@0.7.3

### Patch Changes

- Support `@lynx-js/template-webpack-plugin` v0.10.0.
([#1992](#1992))

## create-rspeedy@0.12.2



## @lynx-js/react-alias-rsbuild-plugin@0.12.1



## upgrade-rspeedy@0.12.2



## @lynx-js/web-core-server@0.19.1



## @lynx-js/web-rsbuild-server-middleware@0.19.1



## @lynx-js/web-worker-rpc@0.19.1

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@coderabbitai coderabbitai bot mentioned this pull request Dec 15, 2025
Merged
3 tasks
f0rdream pushed a commit to f0rdream/lynx-stack that referenced this pull request Dec 18, 2025
@PupilTong @f0rdream
fix: support CSP for mts (lynx-family#1994)
a940a8d 
<!--
  Thank you for submitting a pull request!

We appreciate the time and effort you have invested in making these
changes. Please ensure that you provide enough information to allow
others to review your pull request.

Upon submission, your pull request will be automatically assigned with
reviewers.

If you want to learn more about contributing to this project, please
visit:
https://github.com/lynx-family/lynx-stack/blob/main/CONTRIBUTING.md.
-->

<!-- The AI summary below will be auto-generated - feel free to replace
it with your own. -->

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
  * Fixed Content Security Policy (CSP) support for mts environments.

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

## Checklist

<!--- Check and mark with an "x" -->

- [ ] Tests updated (or not required).
- [ ] Documentation updated (or not required).
- [ ] Changeset added, and when a BREAKING CHANGE occurs, it needs to be
clearly marked (or not required).
f0rdream pushed a commit to f0rdream/lynx-stack that referenced this pull request Dec 18, 2025
@github-actions @f0rdream
chore: Release 2025-12-12 10:03:11 (lynx-family#1991)
e23fb0b 
This PR was opened by the [Changesets
release](https://github.com/changesets/action) GitHub action. When
you're ready to do a release, you can merge this and the packages will
be published to npm automatically. If you're not ready to do a release
yet, that's fine, whenever you add more changesets to main, this PR will
be updated.


# Releases
## @lynx-js/css-extract-webpack-plugin@0.7.0

### Minor Changes

- **BREAKING CHANGE**: Require `@lynx-js/template-webpack-plugin`
0.10.0. ([lynx-family#1965](lynx-family#1965))

- Merge all css chunk and generate a `.css.hot-update.json` file for
each bundle.
([lynx-family#1965](lynx-family#1965))

## @lynx-js/template-webpack-plugin@0.10.0

### Minor Changes

- Merge all css chunk and generate a `.css.hot-update.json` file for
each bundle.
([lynx-family#1965](lynx-family#1965))

## @lynx-js/react@0.115.1

### Patch Changes

- Auto define lynx.loadLazyBundle when using `import(/* relative path
*/)`. ([lynx-family#1956](lynx-family#1956))

- feat: support declaring cross-thread shared modules via Import
Attributes, enabling Main Thread Functions to call standard JS functions
directly. ([lynx-family#1968](lynx-family#1968))

- Usage: Add `with { runtime: "shared" }` to the `import` statement. For
example:

        ```ts
        import { func } from './utils.js' with { runtime: 'shared' };

        function worklet() {
          'main thread';
          func(); // callable inside a main thread function
        }
        ```

    -   Limitations:
- Only directly imported identifiers are treated as shared; assigning
the import to a new variable will result in the loss of this shared
capability.
- Functions defined within shared modules do not automatically become
Main Thread Functions. Accessing main-thread-only APIs (e.g.,
`MainThreadRef`) will cause errors.

## @lynx-js/rspeedy@0.12.2

### Patch Changes

- Bump Rsbuild v1.6.13 with Rspack v1.6.6.
([lynx-family#1995](lynx-family#1995))

-   Updated dependencies \[]:
    -   @lynx-js/web-rsbuild-server-middleware@0.19.1

## @lynx-js/react-rsbuild-plugin@0.12.1

### Patch Changes

- Avoid injecting hot update runtime when dev.hmr or dev.liveReload is
set to false.
([lynx-family#1980](lynx-family#1980))

- Updated dependencies
\[[`553ece1`](lynx-family@553ece1),
[`8cdb69d`](lynx-family@8cdb69d),
[`8cdb69d`](lynx-family@8cdb69d)]:
    -   @lynx-js/react-webpack-plugin@0.7.3
    -   @lynx-js/css-extract-webpack-plugin@0.7.0
    -   @lynx-js/template-webpack-plugin@0.10.0
    -   @lynx-js/react-alias-rsbuild-plugin@0.12.1
    -   @lynx-js/use-sync-external-store@1.5.0
    -   @lynx-js/react-refresh-webpack-plugin@0.3.4

## @lynx-js/web-constants@0.19.1

### Patch Changes

-   Updated dependencies \[]:
    -   @lynx-js/web-worker-rpc@0.19.1

## @lynx-js/web-core@0.19.1

### Patch Changes

- fix: support CSP for mts
([lynx-family#1994](lynx-family#1994))

- Updated dependencies
\[[`f7256d5`](lynx-family@f7256d5)]:
    -   @lynx-js/web-mainthread-apis@0.19.1
    -   @lynx-js/web-worker-runtime@0.19.1
    -   @lynx-js/web-constants@0.19.1
    -   @lynx-js/web-worker-rpc@0.19.1

## @lynx-js/web-mainthread-apis@0.19.1

### Patch Changes

- fix: fix reload lynx-view when `enableCSSSelector` false may cause css
style lost
([lynx-family#1982](lynx-family#1982))

-   Updated dependencies \[]:
    -   @lynx-js/web-constants@0.19.1

## @lynx-js/web-worker-runtime@0.19.1

### Patch Changes

- Updated dependencies
\[[`f7256d5`](lynx-family@f7256d5)]:
    -   @lynx-js/web-mainthread-apis@0.19.1
    -   @lynx-js/web-constants@0.19.1
    -   @lynx-js/web-worker-rpc@0.19.1

## @lynx-js/react-webpack-plugin@0.7.3

### Patch Changes

- Support `@lynx-js/template-webpack-plugin` v0.10.0.
([lynx-family#1992](lynx-family#1992))

## create-rspeedy@0.12.2



## @lynx-js/react-alias-rsbuild-plugin@0.12.1



## upgrade-rspeedy@0.12.2



## @lynx-js/web-core-server@0.19.1



## @lynx-js/web-rsbuild-server-middleware@0.19.1



## @lynx-js/web-worker-rpc@0.19.1

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sherry-hue Sherry-hue Sherry-hue approved these changes

Assignees

@PupilTong PupilTong

Labels

platform:Web

Projects

Lynx for Web
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PupilTong @Sherry-hue