[Bug]: Won't load with Sveltekit CSP enabled

Question

[Bug]: Won't load with Sveltekit CSP enabled

Closed this issue 7 months ago · 1 comments

What happened?

After enabling the content security policy script-src directive in my SvelteKit application, Console Ninja was no longer able to load because it inserts itself as an inline script without a nonce or a hash, either of which is required.

Version

v1.0.330

CLI command to start your dev tool

pnpm run dev

Steps to reproduce (or sample repo)

import adapter from '@sveltejs/adapter-node';
import { vitePreprocess } from '@sveltejs/vite-plugin-svelte';
import postcssConfig from 'postcss-load-config';

/** @type {import('@sveltejs/kit').Config} */
const config = {
  preprocess: [
    vitePreprocess({
      postcss: true,
      postcssConfig,
    }),
  ],

  kit: {
    adapter: adapter({ precompress: false }),
    csp: {
      directives: {
        'script-src': ['self', 'unsafe-eval', 'https://unpkg.com'],
      },
    },
    csrf: {
      checkOrigin: false,
    },
  },
};

export default config;

Log output

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' https://unpkg.com 'nonce-+TFg3eAOqrpM/uB1/Jxlew=='". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.

Answer 1 · 2024-07-23T22:13:00.000Z

Console Ninja needs to establish a connection back to localhost on your computer. You will need to disable CSP for your development environment only (not for your production system) while using Console Ninja from within VS Code.