feat: Add CSP support for hydratable
#17338
Conversation
|
|
| body | ||
| body, | ||
| hashes: { | ||
| script: renderer.global.csp.script_hashes |
There was a problem hiding this comment.
as of now, this will only ever have one hash in it -- however, with streaming, it would be more...
Thinking ahead, with streaming, this should probably error if you try to access it prior to fully-reading tail, because it needs to be fully-populated before you send the response.
| { | ||
| ${prelude} | ||
| const body = ` | ||
| { |
There was a problem hiding this comment.
I dedented and changed the formatting of this stuff because it was confusing in the browser... I could be convinced to sacrifice browser readability for code readability but I don't think the readability here is that bad, and it also technically reduces the byte count
| import { assert, test } from 'vitest'; | ||
| import { sha256 } from './crypto.js'; | ||
|
|
||
| const inputs = [ | ||
| ['hello world', 'uU0nuZNNPgilLlLX2n2r+sSE7+N6U4DukIj3rOLvzek='], | ||
| ['', '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='], | ||
| ['abcd', 'iNQmb9TmM40TuEX88olXnSCciXgjuSF9o+Fhk28DFYk='], | ||
| ['the quick brown fox jumps over the lazy dog', 'Bcbgjx2f2voDFH/Lj4LxJMdtL3Dj2Ynciq2159dFC+w='], | ||
| ['工欲善其事,必先利其器', 'oPOthkQ1c5BbPpvrr5WlUBJPyD5e6JeVdWcqBs9zvjA='] | ||
| ]; | ||
|
|
||
| test.each(inputs)('sha256("%s")', async (input, expected) => { | ||
| const actual = await sha256(input); | ||
| assert.equal(actual, expected); | ||
| }); |
There was a problem hiding this comment.
Is there a reason to test this? We aren't rolling our own hashing algorithm; we're basically just testing node here, no?
There was a problem hiding this comment.
Reason enough -- these tests actually already caught a node support bug in one of our suites 😅
| } | ||
| </script>`; | ||
| for (const [k, v] of [ | ||
| ${entries.join(',\n')} |
There was a problem hiding this comment.
Is there a reason to remove the \ts here?
There was a problem hiding this comment.
Yeah, because I removed them elsewhere -- makes it easier to read in the browser
This also gives us an avenue for supporting CSS stuff in the future.
Before submitting the PR, please make sure you do the following
feat:,fix:,chore:, ordocs:.packages/svelte/src, add a changeset (npx changeset).Tests and linting
pnpm testand lint the project withpnpm lint