feat: Add CSP support for hydratable
#17338
Conversation
|
|
| body | ||
| body, | ||
| hashes: { | ||
| script: renderer.global.csp.script_hashes |
There was a problem hiding this comment.
as of now, this will only ever have one hash in it -- however, with streaming, it would be more...
Thinking ahead, with streaming, this should probably error if you try to access it prior to fully-reading tail, because it needs to be fully-populated before you send the response.
| { | ||
| ${prelude} | ||
| const body = ` | ||
| { |
There was a problem hiding this comment.
I dedented and changed the formatting of this stuff because it was confusing in the browser... I could be convinced to sacrifice browser readability for code readability but I don't think the readability here is that bad, and it also technically reduces the byte count
There was a problem hiding this comment.
Do you think we should look into some sort of minification in production?
There was a problem hiding this comment.
not sure I follow — this is what it looked like before:
this is what it looks like now:
surely it's more readable on main?
not too concerned about minification personally — I think the sacrifice of a dozen bytes is worth it for the readability
There was a problem hiding this comment.
Yeah as far as the actual code output it's pretty much as minified as it can be without just nuking all of the whitespace
Do you have some weird set of settings on your browser? This is what it looks like for me in Chrome Devtools:
And with the old version it would be indented way off to the right
There was a problem hiding this comment.
Ah, it's about whether you're viewing source or inspecting
There was a problem hiding this comment.
Even when viewing source that seems wrong -- we don't send formatted HTML so it's like... indenting the tags but not the content? Weird
| export async function sha256(data) { | ||
| text_encoder ??= new TextEncoder(); | ||
| // @ts-ignore - we don't install node types in the prod build | ||
| crypto ??= (await import('node:crypto')).webcrypto; |
There was a problem hiding this comment.
come to think of it didn't we talk about skipping this and assuming that crypto is always available as a global, given that hydratable is behind the experimental.async flag? not worried about excluding people who want to use bleeding edge Svelte features but are still rocking Node 16 or whatever
There was a problem hiding this comment.
The workaround to make it work with the Node 18 tests is just way more annoying than doing this for now 😆 given it won't even run with the above change I'm inclined to just leave it
There was a problem hiding this comment.
Can't we just do globalThis.crypto ??= await import('node:crypto').webcrypto in the tests, before this module is imported?
| if (options.csp) { | ||
| csp = | ||
| 'nonce' in options.csp | ||
| ? { nonce: options.csp.nonce, hash: false } | ||
| : { hash: options.csp.hash, nonce: undefined }; |
There was a problem hiding this comment.
can't we just use options.csp directly?
There was a problem hiding this comment.
Not as currently typed -- the input value is a union. Maybe this is undesirable and we should just use an object with optional keys and JSDoc?
| { | ||
| ${prelude} | ||
| const body = ` | ||
| { |
There was a problem hiding this comment.
not sure I follow — this is what it looked like before:
this is what it looks like now:
surely it's more readable on main?
not too concerned about minification personally — I think the sacrifice of a dozen bytes is worth it for the readability
Co-authored-by: Rich Harris <[email protected]>
This also gives us an avenue for supporting CSS stuff in the future.
Before submitting the PR, please make sure you do the following
feat:,fix:,chore:, ordocs:.packages/svelte/src, add a changeset (npx changeset).Tests and linting
pnpm testand lint the project withpnpm lint