Skip to content

feat: write cspNonce to style tags #16419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
patak-dev merged 2 commits into from
Apr 18, 2024
Merged

feat: write cspNonce to style tags #16419

patak-dev merged 2 commits into from
Apr 18, 2024

Conversation

@thebanjomatic
Copy link
Contributor

@thebanjomatic thebanjomatic commented Apr 13, 2024

Description

Split off from #16415. This PR will set the nonce attribute for any inline <style> tags in the html if html.cspNonce is set. This probably shouldn't be merged until #16415 gets merged to avoid writing a second nonce attribute for any existing <style nonce=""> tags, otherwise this change would be breaking.

See comment from @sapphi-red

While I was working on #16052, I was thinking hard about what tags should have the nonce attribute injected. The first idea was to only inject tags that cannot be achieved by chaning the input HTML (e.g. <script type="module">). The second idea was to inject it into all tags that CSP allows using nonce (e.g. <script>, <style>). When I did that commit, I decided to go with the first idea. The reason was because I wasn't sure the whole list of tags that needs the nonce attribute to be set and another reason was because I thought it's easy to add it later rather than removing it. But it seems I forgot to skip injecting nonce attributes to script tags without type=module.

On second thought, I think it makes sense to go with the second idea. Vite already injects the nonce to <script>, , , . If I understand the CSP spec correctly, the only missing tag is the <style> tag.

@bolt-new-by-stackblitz
Copy link

bolt-new-by-stackblitz bot commented Apr 13, 2024

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

thebanjomatic
thebanjomatic commented Apr 13, 2024
View reviewed changes
@sapphi-red sapphi-red added feat: html p2-nice-to-have Not breaking anything but nice to have (priority) labels Apr 13, 2024
@sapphi-red
Copy link
Member

sapphi-red commented Apr 13, 2024

Thank you! Would you update this part as well?
https://vitejs.dev/guide/features.html#content-security-policy-csp:~:text=When%20html.cspNonce%20is%20set%2C%20Vite%20adds%20a%20nonce%20attribute%20with%20the%20specified%20value%20to%20the%20output%20script%20tag%20and%20link%20tag%20for%20stylesheets.%20Note%20that%20Vite%20will%20not%20add%20a%20nonce%20attribute%20to%20other%20tags%2C%20such%20as%20%3Cstyle%3E.

sapphi-red
sapphi-red previously approved these changes Apr 14, 2024
View reviewed changes
@sapphi-red
Copy link
Member

sapphi-red commented Apr 17, 2024

/ecosystem-ci run

@vite-ecosystem-ci
Copy link

vite-ecosystem-ci bot commented Apr 17, 2024

📝 Ran ecosystem CI on 96353ba: Open

suite result latest scheduled
nuxt success failure

analogjs, astro, histoire, ladle, laravel, marko, previewjs, quasar, qwik, rakkas, remix, sveltekit, unocss, vike, vite-plugin-pwa, vite-plugin-react, vite-plugin-react-pages, vite-plugin-react-swc, vite-plugin-svelte, vite-plugin-vue, vite-setup-catalogue, vitepress, vitest

bluwy
bluwy previously approved these changes Apr 18, 2024
View reviewed changes
patak-dev
patak-dev previously approved these changes Apr 18, 2024
View reviewed changes
@patak-dev
Copy link
Member

patak-dev commented Apr 18, 2024

@thebanjomatic would you resolve the conflicts? We discussed about this in the last team meeting and it was decided to move forward with it in a patch.

@thebanjomatic thebanjomatic dismissed stale reviews from patak-dev, bluwy, and sapphi-red via 16b9a8c April 18, 2024 10:27
@thebanjomatic
Copy link
Contributor Author

thebanjomatic commented Apr 18, 2024

@patak-dev conflicts are resolved now. Thanks!

@patak-dev patak-dev enabled auto-merge (squash) April 18, 2024 10:51
@patak-dev patak-dev merged commit 8e54bbd into vitejs:main Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patak-dev patak-dev patak-dev approved these changes

@bluwy bluwy bluwy left review comments

@sapphi-red sapphi-red sapphi-red left review comments

Assignees

No one assigned

Labels

feat: html p2-nice-to-have Not breaking anything but nice to have (priority)

Projects

Team Board
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@thebanjomatic @sapphi-red @patak-dev @bluwy