Vite breaks when using require-trusted-types-for CSP in dev
#10553
Comments
|
I think we still can't make it work with vite/packages/vite/src/client/overlay.ts Line 142 in 57916a4 That said, I created a PR as I don't find a reason to use |
|
There is still the line that @sapphi-red pointed out above. |
|
I think what can fix this is using sanitized input internally, rather than setting it with innerHTML. |
This could be fixed by using this.root.innerHTML = DOMPurify.sanitize(template, {RETURN_TRUSTED_TYPE: true});the cost would be to add an extra dependency DOMPurify (which is probably the most known JS lib for XSS sanitizing). The proposed code change is what I use in my own projects to get over |
Describe the bug
I'm setting up CSP for my site, and I'd like to keep mostly the same rules in dev as I do in prod, to catch potential errors early before deploying.
I turned on
require-trusted-types-for 'script', which prevents using.innerHTML = <string>(https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for). But, this breaks vite, which usesinnerHTMLinside updateStyle.Reproduction
https://github.com/IanVS/vite-csp-require-trusted-types-for-reproduction
Steps to reproduce
Clone the repo above,
npm install,npm run dev, and view the error in the console.System Info
System: OS: macOS 12.5.1 CPU: (16) x64 Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz Memory: 449.52 MB / 32.00 GB Shell: 5.8.1 - /bin/zsh Binaries: Node: 16.14.2 - ~/.nvm/versions/node/v16.14.2/bin/node Yarn: 1.22.19 - ~/.yarn/bin/yarn npm: 8.12.1 - ~/.nvm/versions/node/v16.14.2/bin/npm Browsers: Brave Browser: 106.1.44.101 Firefox: 106.0 Safari: 15.6.1 npmPackages: vite: ^3.1.0 => 3.1.8Used Package Manager
npm
Logs
No response
Validations
The text was updated successfully, but these errors were encountered: