Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unnecessary data script execution requires unsafe CSP #4762

Closed
1 task
erquhart opened this issue Sep 14, 2022 · 3 comments · Fixed by #4768
Closed
1 task

Unnecessary data script execution requires unsafe CSP #4762

erquhart opened this issue Sep 14, 2022 · 3 comments · Fixed by #4768
Assignees
@matthewp
Labels
- P3: minor bug An edge case that only affects very specific usage (priority)

Comments

@erquhart
Copy link

erquhart commented Sep 14, 2022
edited
Loading

What version of astro are you using?

1.2.1

Are you using an SSR adapter? If so, which one?

None

What package manager are you using?

npm

What operating system are you using?

Mac

Describe the Bug

For discoverability/searchability, this issue is about errors due to data:text/javascript;charset=utf-8,//[no before-hydration script].

Astro outputs a noop script using data protocol for components with client directives (I've only tried React specifically). I don't know why its necessary, but the code comments indicate an assumption that browsers will just ignore it - this isn't the case if you have a CSP that doesn't allow script execution via the data protocol.

This results in some of our scripts not loading in production. I haven't found a clear workaround - I've even tried stripping the offending output post build, but that leaves a null value that results in an error.

Link to Minimal Reproducible Example

https://stackblitz.com/edit/github-744pb4

In the reproduction, I've done the following

  • Started with the basic Astro template via astro.new
  • Converted the Card component to jsx (stripped out styles for simplicity)
  • Added the react integration
  • Added a minimal CSP via meta tag (script-src * 'unsafe-inline' 'unsafe-eval')

To reproduce:

  1. Run npm start to run the dev server - you'll see "It's working!" printed in the console on each render.
  2. Run npm run build && npm run preview to run the preview server and load the page in a separate window.
  3. You'll see no "It's working!" log printed, and a CSP error that points to the data: script mentioned above.

Participation

  • I am willing to submit a pull request for this issue.

I don't know enough about this issue to work on a pull request, but hopefully the repro is at least helpful if others run into this and want to better understand it.
@matthewp
Copy link
Contributor

Thanks, we can probably just avoid adding this when it's not used

@matthewp matthewp self-assigned this Sep 14, 2022
@matthewp matthewp added the - P3: minor bug An edge case that only affects very specific usage (priority) label Sep 14, 2022
@matthewp matthewp mentioned this issue Sep 15, 2022
Merged
@matthewp
Copy link
Contributor

PR to remove this when not used: #4768

@peterpeterparker
Copy link

I am migrating to Astro since a couple of days and was literally debugging this final issue today when I landed on this recent PR. Upgraded to last version and problem solved. You are the MVPs, thanks a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matthewp matthewp

Labels
- P3: minor bug An edge case that only affects very specific usage (priority)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Ensure before-hydration is only loaded when used withastro/astro
3 participants
@matthewp @erquhart @peterpeterparker