fix: set default for missing cspScriptSrcHashes #5474
Conversation
zoellner
changed the title
Codecov Report
@@ Coverage Diff @@
## dev #5474 +/- ##
=======================================
Coverage 96.13% 96.13%
=======================================
Files 74 74
Lines 2562 2562
Branches 652 653 +1
=======================================
Hits 2463 2463
Misses 83 83
Partials 16 16
Continue to review full report at Codecov.
|
| @@ -122,7 +122,7 @@ const defaultPushAssets = (preloadFiles, shouldPush, publicPath, options) => { | |||
| return links | |||
| } | |||
|
|
|||
| const getCspString = ({ cspScriptSrcHashes, allowedSources, policies, isDev }) => { | |||
| const getCspString = ({ cspScriptSrcHashes = [], allowedSources, policies, isDev }) => { | |||
There was a problem hiding this comment.
This function should not be called in this case at all. I'll add some change
There was a problem hiding this comment.
Wouldn't there be a case where hashes were not defined, but other CSP policies is defined?
especially when #5387 is in, a simple unsafe-inline would cause cspScriptSrcHashes to be empty
There was a problem hiding this comment.
@williamchong007 we are checking cspScriptSrcHashes to be defined before calling getCspString. The default value of cspScriptSrcHashes is an empty array from renderer.js. (So still leads to calling this function)
…navailable (#5474) Co-Authored-By: Andreas Zoellner <andreaszoellner@gmail.com>
|
Fixed in 2ca08a6 |
Types of changes
Description
Minor change setting a default to cspScriptSrcHashes if it is not set. Prevents bug when using CSP in SPA mode in local development
Checklist: