Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

nonce tag in __vitePreload (CSP)

See original GitHub issue

Description

I am trying to migrate or default tooling from Webpack to Vite.

The main issue is nonce security police.

Actually, we handle it using __webpack_nonce__

https://webpack.js.org/guides/csp/

I can’t interact with the preload function to change it.

https://github.com/vitejs/vite/blob/05712323b292492e9161a6ff7b20bfce43097dfb/packages/vite/src/node/plugins/importAnalysisBuild.ts#L58-L103

I’m already injecting the preload tags manually, JavaScript and CSS files.

Alternative

No response

Additional context

Example Application

https://github.com/nextcloud/text/blob/48b21b6e524c4aef78a1046e1f19a2bbd85837c4/src/main.js#L3-L4

Nextcloud apps

Nextcloud is modular, and allow the users to install a variety of apps. These apps can inject scripts in many parts of nextcloud.

For secure reasons, we use CSP to prevent malicious script injections.

Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-cHQ...bz0=';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src 'self';frame-ancestors 'self';form-action 'self'

Validations

Follow our Code of Conduct
Read the Contributing Guidelines.
Read the docs.
Check that there isn’t already an issue that request the same feature to avoid creating a duplicate.

Issue Analytics

State:
Created a year ago
Reactions:12
Comments:6

Top GitHub Comments

4reactions

Carminepo2commented, Nov 19, 2022

Running into this issue too. I’m disabling all the dynamic import because I could not set the nonce token on the generated tags. Waiting for a solution

4reactions

seth-seikosoftcommented, Nov 16, 2022

I’m just now running into this as well. I converted our apps to Vite a few months ago and I love using it, it’s SO FAST.

I’ve done a little googling trying to figure out if there is a plugin that will do this and I haven’t found anything.

Do we have any updates on this issue?

Top Results From Across the Web

Content Security Policies - webpack

Webpack is capable of adding a nonce to all scripts that it loads. To activate this feature, set a __webpack_nonce__ variable and include...

Vite on Twitter: " vite@3.2.0-beta.1 is out! https://t.co ...

Description I am trying to migrate or default tooling from Webpack to Vite. The main issue is nonce security police. Actually, we handle...

702612 - CSP nonce is not applied to Link rel=preload

Issue 702612: CSP nonce is not applied to Link rel=preload ... The `Link` tag should use the `nonce` attribute to preload the script,...

SvelteKit Content Security Policy: CSP for XSS Protection

To avoid calculating a hash on each request, we instead generate a random string; a nonce. We include the nonce it script tags...

Asset Bundling (Vite) - The PHP Framework For Web Artisans

... Disabling Vite In Tests; Server-Side Rendering (SSR); Script & Style Tag Attributes. Content Security Policy (CSP) Nonce; Subresource Integrity (SRI) ...