fix: do not add content-security-policy meta element if content is empty (#10026)

GitRowin · web-flow · commit 1c0423b655b7 · 2023-05-25T21:03:29.000-04:00
diff --git a/.changeset/heavy-eels-wash.md b/.changeset/heavy-eels-wash.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: do not add content-security-policy meta element if content is empty
diff --git a/packages/kit/src/runtime/server/page/csp.js b/packages/kit/src/runtime/server/page/csp.js
@@ -178,8 +178,13 @@ class BaseProvider {
 
 class CspProvider extends BaseProvider {
 	get_meta() {
-		const content = escape_html_attr(this.get_header(true));
-		return `<meta http-equiv="content-security-policy" content=${content}>`;
+		const content = this.get_header(true);
+
+		if (!content) {
+			return;
+		}
+
+		return `<meta http-equiv="content-security-policy" content=${escape_html_attr(content)}>`;
 	}
 }
 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@sveltejs/kit': patch
 +---
++
 +fix: do not add content-security-policy meta element if content is empty
Original file line number	Diff line number	Diff line change
`@@ -178,8 +178,13 @@ class BaseProvider {`
`178`	`178`
`179`	`179`	`class CspProvider extends BaseProvider {`
`180`	`180`	`get_meta() {`
`181`		`- const content = escape_html_attr(this.get_header(true));`
`182`		- return `<meta http-equiv="content-security-policy" content=${content}>`;
	`181`	`+ const content = this.get_header(true);`
	`182`	`+`
	`183`	`+ if (!content) {`
	`184`	`+ return;`
	`185`	`+ }`
	`186`	`+`
	`187`	+ return `<meta http-equiv="content-security-policy" content=${escape_html_attr(content)}>`;
`183`	`188`	`}`
`184`	`189`	`}`
`185`	`190`