[webpack] Add a configuration option to set the CSP header during development
See original GitHub issuePreflight Checklist
- I have read the contribution documentation for this project.
- I agree to follow the code of conduct that this project follows, as appropriate.
- I have searched the issue tracker for a feature request that matches the one I want to file, without success.
Problem Description
Extracted from #2289:
Webpack property devtool
default not playing nice with content-security-policy
The new implementation of the
devtool
-property in the webpack config doesn’t work with the following HTML tag:<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
since that prevents execution fromeval
that is being run somewhere in the defaults of webpack.
Proposed Solution
Add a top-level Webpack plugin configuration option to customize the CSP header sent by webpack-dev-server
.
Alternatives Considered
Again, from #2289:
Manually set
devtool: 'source-map'
for the renderer process
This isn’t ideal for a couple of reasons:
source-map
is slower to generate thaneval-source-map
(or so I’m told)- This puts the onus on the app developer to know about this Webpack configuration option, and I’d prefer to avoid that.
Additional Information
Please note that app developers still need to set the <meta>
tag appropriately, for when the Electron app is bundled and distributed.
This will probably also need documentation on the website.
Issue Analytics
- State:
- Created 2 years ago
- Comments:12 (2 by maintainers)
Top Results From Across the Web
[webpack] Add a configuration option to set the CSP header ...
It appears that the default CSP headers in production mode allow for making requests to other domains (for example, we do POST requests...
Read more >Content Security Policies - webpack
Enabling CSP Here's an example of what a CSP header including a CDN white-listed URL might look like: Content-Security-Policy: default-src 'self'; script-src ' ......
Read more >Content Security Policies - Webpack 5 - W3cubDocs
Webpack is capable of adding nonce to all scripts that it loads. To activate the feature set a __webpack_nonce__ variable needs to be...
Read more >Content Security Policy: How to create an Iron-Clad nonce ...
In this Article, I will provide a step by step process on how to implement a CSP3 compliant strict-dynamic CSP policy and properly...
Read more >Content Security Policies - webpack 3 documentation
Webpack is capable of adding nonce to all scripts that it loads. ... A corresponding header Content-Security-Policy or meta tag <meta ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Add
devContentSecurityPolicy
toforge.config.js
like this:THANK YOU !!! it works))