-
-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: set default for missing cspScriptSrcHashes #5474
Conversation
Codecov Report
@@ Coverage Diff @@
## dev #5474 +/- ##
=======================================
Coverage 96.13% 96.13%
=======================================
Files 74 74
Lines 2562 2562
Branches 652 653 +1
=======================================
Hits 2463 2463
Misses 83 83
Partials 16 16
Continue to review full report at Codecov.
|
@@ -122,7 +122,7 @@ const defaultPushAssets = (preloadFiles, shouldPush, publicPath, options) => { | |||
return links | |||
} | |||
|
|||
const getCspString = ({ cspScriptSrcHashes, allowedSources, policies, isDev }) => { | |||
const getCspString = ({ cspScriptSrcHashes = [], allowedSources, policies, isDev }) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function should not be called in this case at all. I'll add some change
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't there be a case where hashes were not defined, but other CSP policies is defined?
especially when #5387 is in, a simple unsafe-inline
would cause cspScriptSrcHashes
to be empty
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@williamchong007 we are checking cspScriptSrcHashes
to be defined before calling getCspString
. The default value of cspScriptSrcHashes
is an empty array from renderer.js
. (So still leads to calling this function)
…navailable (#5474) Co-Authored-By: Andreas Zoellner <andreaszoellner@gmail.com>
Fixed in 2ca08a6 |
Types of changes
Description
Minor change setting a default to cspScriptSrcHashes if it is not set. Prevents bug when using CSP in SPA mode in local development
Checklist: