-
-
Notifications
You must be signed in to change notification settings - Fork 6.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSP Injects Incorrectly on Elements Without Closing Tag #16281
Labels
p3-minor-bug
An edge case that only affects very specific usage (priority)
Comments
sapphi-red
added
the
p3-minor-bug
An edge case that only affects very specific usage (priority)
label
Mar 29, 2024
patak-dev
pushed a commit
that referenced
this issue
Mar 31, 2024
Co-authored-by: 翠 / green <[email protected]>
patak-dev
pushed a commit
that referenced
this issue
Apr 5, 2024
Co-authored-by: 翠 / green <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Describe the bug
Recently Content Security Policy (CSP) support was added (see: #16052). However, the injection process behaves incorrectly on elements that do not have a closing tag.
For example:
<link rel="stylesheet" href="/roboto.css" />
Becomes this with the current CSP injection behavior:
<link rel="stylesheet" href="/roboto.css" / nonce="abc123">
But it should become:
<link rel="stylesheet" href="/roboto.css" nonce="abc123"/>
This is caused by an offset in the injection function being statically set to 1.
Reproduction
https:/gregtwallace/legocerthub-frontend
Steps to reproduce
Set the following in the vite config:
Add a stylesheet link to the index.html file:
Run
npx vite
open the app in a browser, and view the source code that is served.System Info
Used Package Manager
npm
Logs
No response
Validations
The text was updated successfully, but these errors were encountered: