Vite breaks when using require-trusted-types-for CSP in dev #10553
Description
Describe the bug
I'm setting up CSP for my site, and I'd like to keep mostly the same rules in dev as I do in prod, to catch potential errors early before deploying.
I turned on require-trusted-types-for 'script', which prevents using .innerHTML = <string> (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for). But, this breaks vite, which uses innerHTML inside updateStyle.
Reproduction
https://github.com/IanVS/vite-csp-require-trusted-types-for-reproduction
Steps to reproduce
Clone the repo above, npm install, npm run dev, and view the error in the console.
System Info
System:
OS: macOS 12.5.1
CPU: (16) x64 Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz
Memory: 449.52 MB / 32.00 GB
Shell: 5.8.1 - /bin/zsh
Binaries:
Node: 16.14.2 - ~/.nvm/versions/node/v16.14.2/bin/node
Yarn: 1.22.19 - ~/.yarn/bin/yarn
npm: 8.12.1 - ~/.nvm/versions/node/v16.14.2/bin/npm
Browsers:
Brave Browser: 106.1.44.101
Firefox: 106.0
Safari: 15.6.1
npmPackages:
vite: ^3.1.0 => 3.1.8Used Package Manager
npm
Logs
No response
Validations
- Follow our Code of Conduct
- Read the Contributing Guidelines.
- Read the docs.
- Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
- Make sure this is a Vite issue and not a framework-specific issue. For example, if it's a Vue SFC related bug, it should likely be reported to vuejs/core instead.
- Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
- The provided reproduction is a minimal reproducible example of the bug.