-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unnecessary data script execution requires unsafe CSP #4762
Labels
- P3: minor bug
An edge case that only affects very specific usage (priority)
Comments
Thanks, we can probably just avoid adding this when it's not used |
PR to remove this when not used: #4768 |
I am migrating to Astro since a couple of days and was literally debugging this final issue today when I landed on this recent PR. Upgraded to last version and problem solved. You are the MVPs, thanks a lot! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What version of
astro
are you using?1.2.1
Are you using an SSR adapter? If so, which one?
None
What package manager are you using?
npm
What operating system are you using?
Mac
Describe the Bug
For discoverability/searchability, this issue is about errors due to
data:text/javascript;charset=utf-8,//[no before-hydration script]
.Astro outputs a noop script using
data
protocol for components with client directives (I've only tried React specifically). I don't know why its necessary, but the code comments indicate an assumption that browsers will just ignore it - this isn't the case if you have a CSP that doesn't allow script execution via the data protocol.This results in some of our scripts not loading in production. I haven't found a clear workaround - I've even tried stripping the offending output post build, but that leaves a null value that results in an error.
Link to Minimal Reproducible Example
https://stackblitz.com/edit/github-744pb4
In the reproduction, I've done the following
script-src * 'unsafe-inline' 'unsafe-eval'
)To reproduce:
npm start
to run the dev server - you'll see "It's working!" printed in the console on each render.npm run build && npm run preview
to run the preview server and load the page in a separate window.data:
script mentioned above.Participation
I don't know enough about this issue to work on a pull request, but hopefully the repro is at least helpful if others run into this and want to better understand it.
The text was updated successfully, but these errors were encountered: