Vite 5.2 meta tag to support new csp nonce tagging #444
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description 馃摉
Prior to Vite 5.2, it was not possible to define a strict CSP (Content Security Policy) for
style-src-elem
&script-src-elem
directives as Vite would dynamically generate and insert these tags into the head but did not add a nonce value needed by the stricter CSP. This can be useful if you're trying to align your development and production CSPs to be similar in scope, hopefully catching early CSP issues.In Vite 5.2 support for client side nonce tagging of assets was added. Generated script & style tags would get tagged with a nonce if a properly crafted
meta
tag is detected in the document. Unfortunately rails default csp_meta_tag is not the format Vite expects.Rails generates:
Vite expects:
This PR adds a new helper
vite_csp_meta_tag
which generates a meta tag which Vite expects, allowing the dynamically added script and style tags to be properly have a nonce set. This in turn allows for a more strict CSP for those directives.See:
https://github.com/vitejs/vite/pull/16052/files
https://vitejs.dev/guide/features.html#content-security-policy-csp
Background 馃摐
Using Rails and Vite prior to 5.2 did not allow a strict CSP.
The Fix 馃敤
Make use Vite 5.2's new CSP tagging support with a properly crafted csp-nonce meta tag.