-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG]: the <host-source> and <scheme-source> must not be wrapped in quotes #3
Comments
I'll try and get this fixed. Though vite-plugin-csp is still unfinished, I'm now looking at rewriting it in a monorepo containing some shared functionality to provide SSG and framework specific SSR plugins/libraries so that it things like CSP nonces can be used and hashes be accurate to the files provided at various paths, all of which aren't really possible through only the build hooks currently. |
## [1.1.8](v1.1.7...v1.1.8) (2021-10-04) ### Bug Fixes * 🐛 fix quoting of policies ([ed84e27](ed84e27)), closes [#3](#3)
🎉 This issue has been resolved in version 1.1.8 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Still need to update vite-plugin-csp, but I should be able to get to that tomorrow. 🤞 |
@czabaj I've updated vite-plugin-csp, ran into some typing issues and it took a little longer. Should be good now. |
Thanks @josh-hemphill just tested it and there must be an issue in the linaria plugin as well. The URIs are still quoted See |
Yep, I just went through and double checked the output of vite-plugin-csp, and it seems to be correct there. Though I'm not sure how another plugin would introduce quoting to the internal values of meta strings... |
Description
I'm using the vite-plugin-csp and it's currently buggy for me for it is wrapping the specified URL's in single quotes, which is not valid (according to MDN CSP documentation) and it is also ignored by the browser (Chrome 93.0.4577.63).
I believe the problem is on this LOC, the wrapping is done for all the sources, but it must be applied only to some of them.
Given how complicated the syntax for
<host-source>
might be, I would probably go for testing all keywords and crypto sources, rather than testing<host-source>
and<scheme-source>
.Something like
might do the job, but this rule applies not only to
script-src
, but also tostyle-src
and probably more policies and there might be more keywords specified for other policies, which I'm unaware of, as I'm a newbie in terms of CSP. So you might opt-out for testing the<host-source>
and<scheme-source>
, just beware that testing the URI of<host-source>
might be very complicated as the CSP allows to use wildcards and omit the scheme, thus the Node js URL cannot be used.The text was updated successfully, but these errors were encountered: