`strict-dynamic` CSP support

[Rich-Harris]

Describe the problem

SvelteKit doesn't really work with strict-dynamic CSP, at least not when using hashes. There seem to be some non-intuitive requirements (you have to use modulepreload?), and I haven't been able to get it to work at all in Firefox, so I more or less gave up on it in #3499.

Describe the proposed solution

Err, not sure. But this...

// svelte.config.js
export default {
  kit: {
    csp: {
      directives: {
        'default-src': ['strict-dynamic']
      }
    }
  }
};

...needs to work in dev and prod somehow.

Alternatives considered

No response

Importance

nice to have

Additional Information

No response

[Karlinator]

I'm not surprised you didn't get it to work at all in Firefox, at least when using hashes.

strict-dynamic is kind of patchy in browsers, as evidenced by that bug, but from what I've tested there should be no real issues (from the browser side) when using nonces.

[Karlinator]

The Firefox bug mentioned here has (finally) seen movement. 116 Nightly now has support for CSP hashes for remote scripts.

https://bugzilla.mozilla.org/show_bug.cgi?id=1409200

[aradalvand]

I just tested strict-dynamic (context) and it actually seems to be working just fine (although I'm only using nonces); is there really anything that needs to be done still? Am I missing something?

[stephanabs]

@aradalvand It works with nonces, but at least for me it still doesn't work with hashes.

@Rich-Harris were you able to find a workaround for this?

[archoda]

@Rich-Harris: Kindly, any conversations or understanding on when this might be updated to have both hash and nonce to working with strict-dynamic?