Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CSP compliant polyfills loader
See original GitHub issuecurrently polyfills loader is being injected as inline script, which is not CSP compliant.
Possible solution would be to create a chunk and include it script.src, but it will mean that it will be an extra round trip, which can be mitigated by preloading
Issue Analytics
- State:
- Created 4 years ago
- Reactions:1
- Comments:12 (9 by maintainers)
Top Results From Across the Web
Content Security Policies - webpack
Webpack is also capable of using Trusted Types to load dynamically constructed scripts, to adhere to CSP require-trusted-types-for directive restrictions.
Read more >Violation of CSP script-src / need for unsafe-inline #499 - GitHub
Our simple "solution" was to have a custom template which does not load the polyfills via unsafe-src. We don't support old browsers anyway, ......
Read more >Angular Content Security Policy Guide - StackHawk
Content Security Policy (CSP) is an extra layer of security against attacks such as cross-site scripting (XSS) and data injection.
Read more >@web/polyfills-loader - npm
Generate loader for loading browser polyfills based on feature detection. Latest version: 1.3.5, last published: 4 months ago.
Read more >Deploying CSP in Single Page Applications - Auth0
Single Page Applications clash with modern CSP features. In this article, we discuss concrete strategies for securing SPAs with CSP.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@jhuesos I am finishing up the new plugin this week. I’ll make sure CSP ends up in there as well.
We don’t need to preload polyfill loader because it will be added as a regular script. The browser already scans and preloads any regular
<script src="..">it finds. We do need to preload the app code because it’s added dynamically, in the polyfill loader.Thanks for the code snippet, will make use of that.
This has been implemented