sveltekit fails to automatically generate CSP hashes for inline styles #5215
Comments
|
Unfortunately this is a limitation of the CSS transition mechanism that Svelte currently uses. For Svelte 4 we'd like to switch to the Web Animations API, since it's now supported widely enough. There's a related thread at sveltejs/svelte#6662. One workaround (which may or may not be possible in your case) is to either leave It looks like we could solve before Svelte 4 by tweaking Svelte to work around Safari's awfulness and automatically injecting a known hash whenever |
Cool, good to know. I will keep adding the hash myself for the time being, thank you! |
* document transition CSP caveat (#5215) * Update documentation/docs/15-configuration.md
|
closed via #5556 but i'll reopen it for now, in case we do end up solving this at the svelte level |
Describe the bug
When using transitions, it seems svelte adds inline styles to the html but then sveltekit fails to automatically add a hash for it causing errors in the browser.
This is what my svelte.config.js has under CSP:
And this is the piece of code that adds inline styles:
Only way to get it working is to add the hash myself to the CSP but that's lame.
Am I doing something wrong? Or is it broken?
Reproduction
Add a transition to your app and then set CSP for style-src to ['self']
Logs
System Info
System: OS: Linux 5.18 Arch Linux CPU: (8) x64 Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz Memory: 28.28 GB / 31.31 GB Container: Yes Shell: 5.1.16 - /bin/bash Binaries: Node: 18.3.0 - /usr/bin/node npm: 8.5.5 - /usr/bin/npm Browsers: Chromium: 102.0.5005.115Severity
annoyance
Additional Information
The worst thing of all is if I add the hash myself then it doesn't work under dev mode.... So I have to remove and then add back for production...
The text was updated successfully, but these errors were encountered: