Add strict support for CSP
Opened this issue · 9 comments
Add option to allow script to short-circuit if it cannot find livereload.js inside a script tag with the integrity attribute.
First of all: it's probably not a good idea to run livereload in an environment that has a CSP.
But for testing purposes it would definitely still be nice to remove the need for script-src 'unsafe-eval' and style-src 'unsafe-inline' if possible (as I assume that's what causes the need for the integrity attribute).
If not, I guess we can consider the option you suggest.
Would you be able to have a look at this and send a PR?
Let's track this until I prove WHATWG spec is either wrong or Chromium grossly misinterpreted the spec, then I'll send in a PR. Note I'm using this inside Hugo and I they're pretty trigger happy when it comes to closing issues without doing their due diligence: gohugoio/hugo#4836
If you want to close too, that's cool. Up to you boss. BTW best product evar!
Well, we aren't going to hit zero open issues anytime soon. So it doesn't matter too much.
But I'm still not sure what the actionable item is here. It would be great if you could elaborate when you know more. Thanks!
To elaborate, I'm looking for a solution to the hugo issue here in the upstream as it feels possibly like a more general issue than just hugo. If there's anything which can be done with regard to CSP to improve security of code run in the inline script lock that would be the ideal fix. As it stands YaBrowser (Chrome) will refuse to run live reload if not explicitly whitelisted using an SRI integrity value.
I created a test case for W3C here w3c/webappsec-subresource-integrity#44 and the more I look at this the more it looks like an issue the hugo injector here:
From your standpoint it might be worth calling out in readme once the W3C/WHATWG issue is confirmed (or not confirmed).
Sorry for the noise.
No worries. Thanks for the follow up!
Yes, the inclusion of the livereload script might need proper CSP measures. But livereload itself also injects things and this might also cause 'issues'.
However:
Livereload should only be used in development environments. In those environments you might be better off disabling CSP.
It sounds awkward hugo activates CSP in dev and/or includes livereload in production.
Hugo's not activating CSP, just spitting out source code. My templating system outputs the CSP via meta tag and could simply disable live-reload via config flag if I want to test with code closer to production—so no worries at all.