-
-
Notifications
You must be signed in to change notification settings - Fork 6.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
html.cspNonce option injects nonce values onto <script> tags that already contain a nonce #16414
Closed
7 tasks done
Labels
Comments
Start a new pull request in StackBlitz Codeflow. |
thebanjomatic
added a commit
to thebanjomatic/vite
that referenced
this issue
Apr 12, 2024
thebanjomatic
added a commit
to thebanjomatic/vite
that referenced
this issue
Apr 12, 2024
sapphi-red
added
feat: html
p3-minor-bug
An edge case that only affects very specific usage (priority)
labels
Apr 13, 2024
thebanjomatic
added a commit
to thebanjomatic/vite
that referenced
this issue
Apr 13, 2024
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
Describe the bug
If you have <script> tags that already contain a nonce in your
index.html
, vite will add its own nonce tag resulting in a<script>
with repeated nonce attributes which then fails to load.For example,
vite.config.ts
Generates:
Note: The fact that MY_NONCE and VITE_NONCE are different identifiers is actually irrelevant to the problem and in my real use-case they happen to both be the same value being replaced at runtime when the index.html response is served.
When trying to run, this fails CSP in the browser:
Expected behavior
I would expect vite to ignore any
<script>
or<link>
tags that already contain a nonce attribute rather than inject a second one.While you could argue that I could just remove the nonce from my script tags in index.html, the situation is actually a little more complicated then that as I have plugins which are injecting these tags that have their own mechanism for injecting
cspNonce
since this feature did not exist until Vite v5.2. Those plugins could be made aware of cspNonce (and probably will be), but in the meantime I still think that it's a bug for vite to inject nonce onto tags that have one explicitly defined already.Reproduction
https://stackblitz.com/edit/vitejs-vite-fmzzip?file=index.html
Steps to reproduce
It's probably easiest to just build the reproducer and verify that the
<script>
tag has multiplenonce
attributes to reproduce the problem.System Info
Used Package Manager
yarn
Logs
No response
Validations
The text was updated successfully, but these errors were encountered: