Skip to content

feat: experimental CSP #13802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 13 commits into
base: main
Choose a base branch
from
Draft

feat: experimental CSP #13802

wants to merge 13 commits into from

Conversation

ematipico
Copy link
Member

@ematipico ematipico commented May 14, 2025
edited by HiDeoo
Loading

Changes

API Bash instructions

Check out this repository.

git clone https://github.com/ematipico/astro-csp
cd astro-csp
pnpm i

You can test CSP using the command pnpm start

pnpm start

As explained in the README.md, you can't use the pnpm dev command because of how Vite works.

There are three pages:

  • /counter, which uses a React component
  • /islands, which uses server Islands
  • /transitions (this seems borked, so I'll have to investigate why, but view transitions swap all the head elements, so maybe that's the reason)
  • /index, list of the the pervious pages

All pages have custom <style>.

Tasks

  • In /counter, try to use different client directives, for example client:only="react"
  • In /islands, try to add props to the islands, or the fallback or slots too
  • Try to add other styles in different means, such as importing a file from an external file
  • Try to customise the directives, and add one regarding images where they can be loaded only from one source e.g. an external website

Testing

Docs

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented May 14, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 93abee5

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions github-actions bot added pkg: astro Related to the core `astro` package (scope) docs pr labels May 14, 2025
@codspeed-hq CodSpeed HQ
Copy link

codspeed-hq bot commented May 14, 2025
edited
Loading

CodSpeed Performance Report

Merging #13802 will not alter performance

Comparing feat/csp (89ef3c4) with main (3c3b492)

Summary

✅ 6 untouched benchmarks

@github-actions github-actions bot added the pkg: integration Related to any renderer integration (scope) label May 16, 2025
@ematipico ematipico mentioned this pull request May 21, 2025
Open
@ematipico ematipico self-assigned this May 21, 2025
ematipico and others added 12 commits May 22, 2025 13:16
@ematipico
chore: build hashes of scripts (#13590)
69a4490 
* chore: build hashes of scripts

* chore: fix changes

* chore: fix changes

* chore: fix changes
@ematipico @florian-lefebvre
feat(csp): create hashes of tracked scripts and hashes (#13675)
08124a7 
Co-authored-by: florian-lefebvre <[email protected]>
@ematipico
feat(csp): fix CSP header, inject astro island script/style (#13687)
77bceec
@ematipico @ascorbic
feat(csp): track client scripts and CSS (#13725)
cb3cddf 
Co-authored-by: ascorbic <[email protected]>
@ematipico @florian-lefebvre @ascorbic
feat(csp): support view transitions (#13738)
e63013b 
Co-authored-by: florian-lefebvre <[email protected]>
Co-authored-by: ascorbic <[email protected]>
fix CSP header, inject astro island script/style (#13687)
@ematipico @florian-lefebvre
feat(csp): server islands (#13775)
71b79ae 
Co-authored-by: florian-lefebvre <[email protected]>
@ematipico @florian-lefebvre
feat(csp): customise algorithm (#13803)
ea6d30d 
Co-authored-by: Florian Lefebvre <[email protected]>
@ematipico @florian-lefebvre
chore: build hashes of scripts (#13590) (#13805)
8b62e71 
Co-authored-by: Florian Lefebvre <[email protected]>
@ematipico @ascorbic @florian-lefebvre
feat(csp): allow additional directives (#13810)
283ac1e 
Co-authored-by: ascorbic <[email protected]>
Co-authored-by: florian-lefebvre <[email protected]>
@ematipico @ascorbic
feat(csp): resources for script and styles directives (#13812)
8717aa4 
Co-authored-by: ascorbic <[email protected]>
@ematipico @ascorbic
feat(csp): runtime APIs (#13824)
0bb2574 
Co-authored-by: Matt Kane <[email protected]>
@ematipico
feat(csp): add script-dynamic keyword support (#13834)
d3c8a0d
@github-actions github-actions bot removed the pkg: integration Related to any renderer integration (scope) label May 22, 2025
@ematipico ematipico added pkg: integration Related to any renderer integration (scope) pr preview This PR has a preview release labels May 22, 2025
@ematipico ematipico removed the pr preview This PR has a preview release label May 22, 2025
@github-actions github-actions bot removed the pkg: integration Related to any renderer integration (scope) label May 22, 2025
@ematipico ematipico added the pr preview This PR has a preview release label May 22, 2025
@github-actions github-actions bot removed the pr preview This PR has a preview release label May 22, 2025
@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented May 22, 2025

astro

npm i https://pkg.pr.new/astro@13802

@astrojs/cloudflare

npm i https://pkg.pr.new/@astrojs/cloudflare@13802

@astrojs/netlify

npm i https://pkg.pr.new/@astrojs/netlify@13802

@astrojs/node

npm i https://pkg.pr.new/@astrojs/node@13802

@astrojs/vercel

npm i https://pkg.pr.new/@astrojs/vercel@13802

commit: 89ef3c4

@ematipico ematipico added this to the v5.9.0 milestone May 28, 2025
@HiDeoo
Copy link
Member

HiDeoo commented May 30, 2025

Small feedback from me playing during the amazing API bash:

Directives not requiring a value

This is only a type issue, but some directives like upgrade-insecure-requests, sandbox, or trusted-types don't require a value.

For example, for upgrade-insecure-requests, the expected value is upgrade-insecure-requests ${string}, but it should be upgrade-insecure-requests without any value.

I guess there are 2 cases here:

  • Directives not accepting a value at all, like upgrade-insecure-requests where the type should only be 'upgrade-insecure-requests'.
  • Directives that can be used with or without a value, like sandbox and trusted-types, where the type should be 'sandbox' | `sandbox ${string}` .

report-uri directive

The report-uri directive is deprecated in favor of report-to, but as documented, until report-to is broadly supported you can specify both:

Content-Security-Policy: …; report-uri https://endpoint.example.com; report-to endpoint_name

I think we need to support both directives at the moment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ematipico ematipico

Labels
docs pr pkg: astro Related to the core `astro` package (scope)
Projects
None yet
Milestone
v5.9.0
Development

Successfully merging this pull request may close these issues.
2 participants
@ematipico @HiDeoo