Skip to content

feat: csp nonce support#16052

Merged
patak-cat merged 15 commits intovitejs:mainfrom
sapphi-red:feat/csp-support-2
Mar 13, 2024
Merged

feat: csp nonce support#16052
patak-cat merged 15 commits intovitejs:mainfrom
sapphi-red:feat/csp-support-2

Conversation

@sapphi-red
Copy link
Member

@sapphi-red sapphi-red commented Feb 28, 2024
edited
Loading

Description

This PR is updated version of #14653 with changes that was discussed in the team meeting. In that meeting, we discussed that writing nonce placeholder in every script/style/link tag is time consuming. Given that the nonce placeholder should be same even for different HTML files, we decided to make a new option for the nonce placeholder. I made a new PR as it was easier for me than rebasing the old one.

  • In dev,
    • Vite will inject nonce attribute with the value of html.cspNonce option to <script>/<style>/<link rel="stylesheet">.
    • Vite will use the nonce value of meta[property=csp-nonce] when injecting style tags that is generated by CSS imports in JS.
  • In build
    • Vite will inject nonce attribute with the value of html.cspNonce option to <style>.
    • Vite will generate <script>/<link rel="stylesheet">/<link rel="modulepreload"> with nonce attribute with the value of html.cspNonce option.
    • The preload function will use the nonce value of meta[property=csp-nonce] to injecting link tags

close #9719
close #11862
superseds close #11864
superseds close #11958

Additional context

What is the purpose of this pull request?

  • Bug fix
  • New Feature
  • Documentation update
  • Other

Before submitting the PR, please make sure you do the following

  • Read the Contributing Guidelines, especially the Pull Request Guidelines.
  • Check that there isn't already a PR that solves the problem the same way to avoid creating a duplicate.
  • Provide a description in this PR that addresses what the PR is solving, or reference the issue that it solves (e.g. fixes #123).
  • Update the corresponding documentation if needed.
  • Ideally, include relevant tests that fail without this PR but pass with it.

sapphi-red and others added 5 commits February 29, 2024 00:29
@sapphi-red @maccuaa
feat: html.cspNonce option
adaad77 
Co-authored-by: Andrew <8158705+maccuaa@users.noreply.github.com>
@sapphi-red
feat: inject meta[property=csp-nonce]
9fea365
@sapphi-red @justin-tay
feat: add nonce when injecting style tag in dev
0d0a478 
Co-Authored-By: Justin Tay <49700559+justin-tay@users.noreply.github.com>
@sapphi-red
feat: use nonce value in meta tag for preload
8e50973
@sapphi-red
refactor: inject nonce attribute in a separate html hook
e973af0
@sapphi-red sapphi-red added the enhancement New feature or request label Feb 28, 2024
@bolt-new-by-stackblitz
Copy link

bolt-new-by-stackblitz bot commented Feb 28, 2024

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@sapphi-red sapphi-red mentioned this pull request Feb 28, 2024
Closed
12 tasks
@sapphi-red sapphi-red added the p2-to-be-discussed Enhancement under consideration (priority) label Feb 28, 2024
@schamberg97
Copy link

schamberg97 commented Feb 28, 2024

I will try to take a close look at this PR later. It is quite easy to mess CSP things up in a way that CSP does little for actual security, so it is preferable that CSP is not messed up in vite

@sapphi-red sapphi-red marked this pull request as ready for review February 29, 2024 08:15
@sapphi-red
Copy link
Member Author

sapphi-red commented Feb 29, 2024

/ecosystem-ci run

@vite-ecosystem-ci

This comment was marked as outdated.

Sign in to view
@vite-ecosystem-ci

This comment was marked as outdated.

Sign in to view
@vite-ecosystem-ci
Copy link

vite-ecosystem-ci bot commented Feb 29, 2024

📝 Ran ecosystem CI on c11ab0f: Open

suite result latest scheduled
nx failure failure
vite-plugin-vue success failure

analogjs, astro, histoire, ladle, laravel, marko, nuxt, previewjs, qwik, rakkas, sveltekit, unocss, vike, vite-plugin-pwa, vite-plugin-react, vite-plugin-react-pages, vite-plugin-react-swc, vite-plugin-svelte, vite-setup-catalogue, vitepress, vitest

patak-cat
patak-cat reviewed Mar 5, 2024
View reviewed changes
@patak-cat patak-cat added this to the 5.2 milestone Mar 5, 2024
bluwy
bluwy reviewed Mar 12, 2024
View reviewed changes
Copy link
Member

@bluwy bluwy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! The implementation looks great to me. I guess my only nit is about patak's comment.

patak-cat
patak-cat reviewed Mar 13, 2024
View reviewed changes
@patak-cat patak-cat merged commit 1d5eec4 into vitejs:main Mar 13, 2024
@sapphi-red sapphi-red deleted the feat/csp-support-2 branch March 14, 2024 01:04
@gregtwallace gregtwallace mentioned this pull request Mar 26, 2024
Closed
7 tasks
@mishraomp mishraomp mentioned this pull request Mar 31, 2024
Merged
@sapphi-red sapphi-red mentioned this pull request Apr 13, 2024
Merged
@thebanjomatic thebanjomatic mentioned this pull request Apr 13, 2024
Merged
@TylerWanta TylerWanta mentioned this pull request May 22, 2024
Open
7 tasks
@genki genki mentioned this pull request Jan 6, 2025
Closed
This was referenced Feb 11, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bluwy bluwy bluwy left review comments

@patak-cat patak-cat patak-cat approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request p2-to-be-discussed Enhancement under consideration (priority)

Projects

Team Board
Archived in project

Milestone

5.2

Development

Successfully merging this pull request may close these issues.

Issue setting strict CSP in dev nonce tag in __vitePreload (CSP)

4 participants

@sapphi-red @schamberg97 @patak-cat @bluwy