Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fizz] Support nonce option to be passed to inline scripts #22593

Merged
merged 1 commit into from
Oct 20, 2021
Merged

[Fizz] Support nonce option to be passed to inline scripts #22593

merged 1 commit into from
Oct 20, 2021

Conversation

sebmarkbage
Copy link
Collaborator

Fizz currently generates inline scripts. If you have a Content Security Policy that blocks it, you need to provide a nonce attribute to it to allow those scripts. This just adds an option to pass through such an attribute.

However, a better strategy is probably that we expose an external script that can be loaded onto the page early through a src with a mutation observer that detects segments that we've inserted and runs the appropriate commands. That way we don't need to use inline scripts for this. It's also closer to what we want the ideal built-in feature for this in the DOM would look like so it'd be more of a polyfill.

However, it might still be better to use inline scripts for the cases where it is allowed and you haven't already loaded the script into cache. Also, if you already have a nonce anyway it might be better.

@facebook-github-bot facebook-github-bot added CLA Signed React Core Team Opened by a member of the React Core Team labels Oct 20, 2021
@sizebot
Copy link

sizebot commented Oct 20, 2021

Comparing: 34e4c97...f4f890f

Critical size changes

Includes critical production bundles, as well as any change greater than 2%:

Name +/- Base Current +/- gzip Base gzip Current gzip
oss-stable/react-dom/cjs/react-dom.production.min.js = 130.21 kB 130.21 kB = 41.42 kB 41.42 kB
oss-experimental/react-dom/cjs/react-dom.production.min.js = 133.04 kB 133.04 kB = 42.40 kB 42.40 kB
facebook-www/ReactDOM-prod.classic.js = 414.69 kB 414.69 kB = 76.59 kB 76.59 kB
facebook-www/ReactDOM-prod.modern.js = 403.28 kB 403.28 kB = 74.86 kB 74.86 kB
facebook-www/ReactDOMForked-prod.classic.js = 414.69 kB 414.69 kB = 76.60 kB 76.60 kB

Significant size changes

Includes any change greater than 0.2%:

Expand to show
Name +/- Base Current +/- gzip Base gzip Current gzip
oss-stable-semver/react-dom/cjs/react-dom-server.node.production.min.js +0.44% 31.55 kB 31.69 kB +0.50% 10.65 kB 10.71 kB
oss-stable/react-dom/cjs/react-dom-server.node.production.min.js +0.44% 31.55 kB 31.69 kB +0.50% 10.65 kB 10.71 kB
oss-experimental/react-dom/cjs/react-dom-server.node.production.min.js +0.44% 31.68 kB 31.82 kB +0.46% 10.71 kB 10.76 kB
oss-stable-semver/react-dom/cjs/react-dom-server.browser.production.min.js +0.40% 31.29 kB 31.42 kB +0.50% 10.65 kB 10.70 kB
oss-stable/react-dom/cjs/react-dom-server.browser.production.min.js +0.40% 31.29 kB 31.42 kB +0.50% 10.65 kB 10.70 kB
oss-experimental/react-dom/cjs/react-dom-server.browser.production.min.js +0.40% 31.43 kB 31.55 kB +0.49% 10.70 kB 10.75 kB
oss-stable-semver/react-dom/umd/react-dom-server.browser.production.min.js +0.40% 31.47 kB 31.59 kB +0.43% 10.77 kB 10.82 kB
oss-stable/react-dom/umd/react-dom-server.browser.production.min.js +0.40% 31.47 kB 31.59 kB +0.43% 10.77 kB 10.82 kB
oss-experimental/react-dom/umd/react-dom-server.browser.production.min.js +0.40% 31.60 kB 31.73 kB +0.43% 10.82 kB 10.87 kB
facebook-www/ReactDOMServer-prod.modern.js +0.24% 71.03 kB 71.19 kB +0.22% 15.31 kB 15.34 kB
oss-stable-semver/react-dom/cjs/react-dom-server-legacy.browser.development.js +0.21% 219.00 kB 219.45 kB +0.17% 52.83 kB 52.92 kB
oss-stable/react-dom/cjs/react-dom-server-legacy.browser.development.js +0.21% 219.00 kB 219.45 kB +0.17% 52.83 kB 52.92 kB
oss-experimental/react-dom/cjs/react-dom-server-legacy.browser.development.js +0.21% 219.52 kB 219.98 kB +0.17% 52.98 kB 53.08 kB
oss-stable-semver/react-dom/cjs/react-dom-server-legacy.node.development.js +0.21% 220.61 kB 221.07 kB +0.17% 53.27 kB 53.36 kB
oss-stable/react-dom/cjs/react-dom-server-legacy.node.development.js +0.21% 220.61 kB 221.07 kB +0.17% 53.27 kB 53.36 kB
oss-experimental/react-dom/cjs/react-dom-server-legacy.node.development.js +0.21% 221.14 kB 221.59 kB +0.17% 53.42 kB 53.51 kB
oss-stable-semver/react-dom/umd/react-dom-server-legacy.browser.development.js +0.20% 229.99 kB 230.46 kB +0.16% 53.43 kB 53.51 kB
oss-stable/react-dom/umd/react-dom-server-legacy.browser.development.js +0.20% 229.99 kB 230.46 kB +0.16% 53.43 kB 53.51 kB
oss-experimental/react-dom/umd/react-dom-server-legacy.browser.development.js +0.20% 230.55 kB 231.02 kB +0.16% 53.58 kB 53.66 kB

Generated by 🚫 dangerJS against f4f890f

@sebmarkbage sebmarkbage merged commit 3677c01 into facebook:main Oct 20, 2021
@sebmarkbage sebmarkbage changed the title Support nonce option to be passed to inline scripts [Fizz] Support nonce option to be passed to inline scripts Oct 20, 2021
KamranAsif pushed a commit to KamranAsif/react that referenced this pull request Nov 4, 2021
@sebmarkbage @KamranAsif
Support nonce option to be passed to inline scripts (facebook#22593)
b2df26d
zhengjitf pushed a commit to zhengjitf/react that referenced this pull request Apr 15, 2022
@sebmarkbage @zhengjitf
Support nonce option to be passed to inline scripts (facebook#22593)
95af0fd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@acdlite acdlite acdlite approved these changes

@salazarm salazarm Awaiting requested review from salazarm

Assignees
No one assigned
Labels
CLA Signed React Core Team Opened by a member of the React Core Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@sebmarkbage @sizebot @acdlite @facebook-github-bot