From eec4d0582aae148df53a141c959bd2f5b78130ba Mon Sep 17 00:00:00 2001 From: Aaron Stanek Date: Mon, 8 Jan 2024 15:30:42 -0800 Subject: [PATCH 1/2] CSP skips nonce in style-src when using unsafe-inline --- .changeset/ninety-clouds-love.md | 5 ++++ packages/kit/src/runtime/server/page/csp.js | 2 +- .../kit/src/runtime/server/page/csp.spec.js | 26 +++++++++++++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 .changeset/ninety-clouds-love.md diff --git a/.changeset/ninety-clouds-love.md b/.changeset/ninety-clouds-love.md new file mode 100644 index 000000000000..337b3cc4d403 --- /dev/null +++ b/.changeset/ninety-clouds-love.md @@ -0,0 +1,5 @@ +--- +"@sveltejs/kit": patch +--- + +fix: Do not automatically add a nonce to the `style-src` directive in the Content Security Policy when the `style-src` directive already contains `unsafe-inline`. \ No newline at end of file diff --git a/packages/kit/src/runtime/server/page/csp.js b/packages/kit/src/runtime/server/page/csp.js index 6bd55f9c0c38..1816839a2e0d 100644 --- a/packages/kit/src/runtime/server/page/csp.js +++ b/packages/kit/src/runtime/server/page/csp.js @@ -166,7 +166,7 @@ class BaseProvider { this.#style_src_elem.push(`sha256-${hash}`); } } else { - if (this.#style_src.length === 0) { + if (this.#style_src.length === 0 && !d['style-src']?.includes('unsafe-inline')) { this.#style_src.push(`nonce-${this.#nonce}`); } if (d['style-src-attr']?.length) { diff --git a/packages/kit/src/runtime/server/page/csp.spec.js b/packages/kit/src/runtime/server/page/csp.spec.js index 24a7afe74adb..93b487c18646 100644 --- a/packages/kit/src/runtime/server/page/csp.spec.js +++ b/packages/kit/src/runtime/server/page/csp.spec.js @@ -102,6 +102,32 @@ test('skips nonce with unsafe-inline', () => { assert.equal(csp.report_only_provider.get_header(), "default-src 'unsafe-inline'; report-uri /"); }); +test('skips nonce in style-src when using unsafe-inline', () => { + const csp = new Csp( + { + mode: 'nonce', + directives: { + 'style-src': ['self', 'unsafe-inline'] + }, + reportOnly: { + 'style-src': ['self', 'unsafe-inline'], + 'report-uri': ['/'] + } + }, + { + prerender: false + } + ); + + csp.add_style(''); + + assert.equal(csp.csp_provider.get_header(), "style-src 'self' 'unsafe-inline'"); + assert.equal( + csp.report_only_provider.get_header(), + "style-src 'self' 'unsafe-inline'; report-uri /" + ); +}); + test('skips hash with unsafe-inline', () => { const csp = new Csp( { From 69a2713abbf3fc55d9afa41fbd825fe6b61d03b2 Mon Sep 17 00:00:00 2001 From: Rich Harris Date: Tue, 9 Jan 2024 18:49:30 -0500 Subject: [PATCH 2/2] Update .changeset/ninety-clouds-love.md --- .changeset/ninety-clouds-love.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changeset/ninety-clouds-love.md b/.changeset/ninety-clouds-love.md index 337b3cc4d403..f418a5e0b35b 100644 --- a/.changeset/ninety-clouds-love.md +++ b/.changeset/ninety-clouds-love.md @@ -2,4 +2,4 @@ "@sveltejs/kit": patch --- -fix: Do not automatically add a nonce to the `style-src` directive in the Content Security Policy when the `style-src` directive already contains `unsafe-inline`. \ No newline at end of file +fix: only add nonce to `style-src` CSP directive when `unsafe-inline` is not present \ No newline at end of file