Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow Gatsby to run with a CSP without unsafe-inline. #3758

chuckharmston opened this issue Jan 28, 2018 · 4 comments

Allow Gatsby to run with a CSP without unsafe-inline. #3758

chuckharmston opened this issue Jan 28, 2018 · 4 comments


Copy link

In order to use Gatsby with a CSP, the inline CSS and JavaScript it produces requires it to be run with unsafe-inline, which renders it vulnerable to a broad swath of attacks and generally makes the CSP worthless.

There are two ways to permit this:

  1. By allowing generated assets to be loaded as external assets, so origins can be used to control this.
  2. By using strict-dynamic and hashes of the content of each generated file or inline resource. This provides slightly better security, but is also more complex and rigid. Ideally in this case, the generated CSP is inserted as a <meta> tag and the same CSP is inserted into gatsby-plugin-netlify's generated _headers file.

I'd favor #1 as opt-in behavior for its flexibility. It would require more requests, but H/2's multiplexing reduces the penalty for that.

Copy link

ghost commented Jan 29, 2018

There are some related issues which go in the 2. direction:

Ideally the CSP should be opt-out, the 2. way does not require http/2 to be efficient.

Copy link

jorispz commented Apr 6, 2018

Would it be terribly difficult to make option 1 work? From my (very limited) perspective it would seem the easier route, at the expense of a few requests more.

Copy link

Due to the high volume of issues, we're closing out older ones without recent activity. Please open a new issue if you need help!

Copy link

simonlc commented Oct 13, 2018

The only problem with option 2 is it will not work with other deployments. In my opinion there should be an option for having zero inlined scripts/code. Option 2 is favorable however if you do have a supported host.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

4 participants