EmDashHead JSON-LD scripts are injected via HTML string and are not CSP-hashed #1782
Closed
khoinguyenpham04
announced in
Roadmap
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
This Roadmap discussion mirrors #1601: EmDashHead JSON-LD scripts are injected via HTML string and are not CSP-hashed.
Use this discussion to upvote the roadmap item and discuss priority, use cases, and product feedback. Keep implementation tracking, reproduction details, and PR-specific feedback on the source issue.
bug,bot:working,bot:bugOriginal Issue
Description
EmDashHeadrenders JSON-LD<script type="application/ld+json">tags by building an HTML string and injecting it withset:html. Astro's CSP hash tracking does not appear to see these generated inline scripts, so strict CSP blocks the JSON-LD script tags at runtime.Relevant EmDash implementation paths:
Observed output:
Expected behavior: JSON-LD emitted by
EmDashHeadshould be compatible with Astro CSP, either by rendering in a way Astro can hash, using Astro's CSP APIs, or exposing a way for sites to render/suppress JSON-LD themselves.Steps to reproduce
security.csp.EmDashHeadin the base layout:application/ld+jsonscript.Environment
Logs / error output
Beta Was this translation helpful? Give feedback.
All reactions