feat(csp): support for -elem and -attr directives#17214
Conversation
Merging this PR will degrade performance by 23.66%
|
| Mode | Benchmark | BASE |
HEAD |
Efficiency | |
|---|---|---|---|---|---|
| ❌ | Simulation | many-components [streaming] |
8.9 ms | 11.6 ms | -23.66% |
Tip
Investigate this regression by commenting @codspeedbot fix this regression on this PR, or directly use the CodSpeed MCP with your agent.
Comparing feat/csp-elem-attr (4e9e42d) with main (f94280d)1
Footnotes
🦋 Changeset detectedLatest commit: 4e9e42d The changes in this PR will be included in the next version bump. This PR includes changesets to release 392 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
ArmandPhilippot
left a comment
There was a problem hiding this comment.
Thanks! I left a few suggestions, mostly nits. My thinking is:
- some people check the current docs while there are not up-to-date, we should give a hint about the version this was added/changed (ie. v7 vs v7.1)
- there a few patterns we avoid in docs (em dash, semicolon) so we should stay consistent
I'll probably do a second pass on the config file (not because something is wrong but because there was more content than I thought, so I may have missed something that might look odd in docs. Reviewing the JSDoc is not the same as rewieving a preview version.)
| * | ||
| * You must provide hashes that start with `sha384-`, `sha512-` or `sha256-`. Other values will cause a validation error. These hashes are added to all pages. | ||
| * | ||
| * Each entry can be a string or an object. The object allows changing the scope of the hash via the `kind` field. The `kind` field accepts: |
There was a problem hiding this comment.
I think it's worth mentioning a version here. Some people look at the current docs while still behind:
| * Each entry can be a string or an object. The object allows changing the scope of the hash via the `kind` field. The `kind` field accepts: | |
| * Since Astro v7.1, each entry can be a string or an object. The object allows changing the scope of the hash via the `kind` field. The `kind` field accepts: |
| * | ||
| * A list of valid sources for `style-src` directives to override Astro's default sources. This will not include `'self'` by default, and must be included in this list if you wish to keep it. These resources are added to all pages. | ||
| * | ||
| * Each entry can be a string or an object. The object allows changing the scope of the source via the `kind` field. The `kind` field accepts: |
There was a problem hiding this comment.
Same here:
| * Each entry can be a string or an object. The object allows changing the scope of the source via the `kind` field. The `kind` field accepts: | |
| * Since Astro v7.1, each entry can be a string or an object. The object allows changing the scope of the source via the `kind` field. The `kind` field accepts: |
Co-authored-by: Armand Philippot <git@armand.philippot.eu>
Changes
Closes #16233
Closes #14798
This PR enhance Astro CSP by adding support for
script-src-elem,script-src-attr,style-src-elemandstyle-src-attr.These are specific directives.
In order to make the change as minimal as possible, I enhanced the existing configuration and APIs with addition of a
kindfield. It's an enum that accepts the following values:element: store the resource in the-elemdirectiveattribute: store the resource in the-attrdirectivedefault: the existing behaviourI updated the configuration to reflect the new changes, so now the users can pass objects too (other than strings).
There's an important change in logic:
As for the built-in resources, the ones created by Astro (client islands, responsive images, fonts, etc.), they are automatically added to the more specific directive in case there's at least one.
Testing
Added various tests
Docs
withastro/docs#14196
/cc @withastro/maintainers-docs for feedback!