Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

report-uri in csp config does not accept valid input after v2.5.2 #11905

Closed
MathiasWP opened this issue Feb 27, 2024 · 1 comment · Fixed by #11908
Closed

report-uri in csp config does not accept valid input after v2.5.2 #11905

MathiasWP opened this issue Feb 27, 2024 · 1 comment · Fixed by #11908
Labels
types / typescript

Comments

@MathiasWP
Copy link
Contributor

MathiasWP commented Feb 27, 2024
edited

Describe the bug

This is a valid uri for the report-uri directive:

https://123.ingest.sentry.io/api/456/security/?sentry_key=123mykey&sentry_environment=development&sentry_release=sha1-release-hash

But SvelteKit does not approve it's structure. This was noticed after this PR was merged: #11886

See: https://blog.sentry.io/how-sentry-captures-csp-violations/

Reproduction

https://github.com/MathiasWP/sveltekit-csp-report-uri-bug

Logs

No response

System Info

System:
    OS: macOS 14.3.1
    CPU: (8) arm64 Apple M1 Pro
    Memory: 59.19 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.11.0 - ~/.nvm/versions/node/v20.11.0/bin/node
    npm: 10.2.4 - ~/.nvm/versions/node/v20.11.0/bin/npm
    pnpm: 8.12.0 - /opt/homebrew/bin/pnpm
    bun: 1.0.0 - ~/.bun/bin/bun
  Browsers:
    Brave Browser: 122.1.63.162
    Chrome: 121.0.6167.184
    Safari: 17.3.1
  npmPackages:
    @sveltejs/adapter-auto: ^3.0.0 => 3.1.1 
    @sveltejs/kit: ^2.0.0 => 2.5.2 
    @sveltejs/vite-plugin-svelte: ^3.0.0 => 3.0.2 
    svelte: ^4.2.7 => 4.2.12 
    vite: ^5.0.3 => 5.1.4

Severity

serious, but I can work around it

Additional Information

No response
@frederikhors
Copy link
Contributor

Maybe related to #11906?

@MathiasWP MathiasWP changed the title report-uri in csp config does not accept valid input report-uri in csp config does not accept valid input after v2.5.2 Feb 27, 2024
dummdidumm added a commit that referenced this issue Feb 27, 2024
@dummdidumm
fix: revert tsconfig change, fix types
bb86f4c 
The inclusion of `svelte.config.js` is a breaking change since it's type-checked now and that can break projects which did type-check without errors previously
closes #11906

Also relaxes the report-uri types, fully qualified urls are also ok
closes #11905
@dummdidumm dummdidumm mentioned this issue Feb 27, 2024
Merged
6 tasks
dummdidumm added a commit that referenced this issue Feb 27, 2024
@dummdidumm
fix: revert tsconfig change, fix types
8ef717f 
The inclusion of `svelte.config.js` is a breaking change since it's type-checked now and that can break projects which did type-check without errors previously
closes #11906

Also relaxes the report-uri types, fully qualified urls are also ok
closes #11905
dummdidumm added a commit that referenced this issue Feb 27, 2024
@dummdidumm
fix: revert tsconfig change, fix types
16b5ec0 
The inclusion of `svelte.config.js` is a breaking change since it's type-checked now and that can break projects which did type-check without errors previously
closes #11906

Also relaxes the report-uri types, fully qualified urls are also ok
closes #11905
dummdidumm added a commit that referenced this issue Mar 6, 2024
@dummdidumm
fix: revert tsconfig change, fix types (#11908)
873a09e 
The inclusion of `svelte.config.js` is a breaking change since it's type-checked now and that can break projects which did type-check without errors previously
closes #11906

Also relaxes the report-uri types, fully qualified urls are also ok
closes #11905
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
types / typescript
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: revert tsconfig change, fix types sveltejs/kit
3 participants
@dummdidumm @frederikhors @MathiasWP