support trusted types enforcement in react-start#6527
support trusted types enforcement in react-start#6527hybrist wants to merge 1 commit intoTanStack:mainfrom
Conversation
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the
✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
hybrist
force-pushed
the
tt-route-transition
branch
from
ae95e33 to
2ffe5fb
Compare
| export const requiresTrustedTypes: boolean = | ||
| import.meta.env.VITE_CSP === 'strict' | ||
|
|
||
| declare const trustedTypes: any |
There was a problem hiding this comment.
These types should make it into TS proper soon™ given that there's now two engines (Safari + Chromium) that ship the feature.
hybrist
force-pushed
the
tt-route-transition
branch
from
2ffe5fb to
272ffe5
Compare
hybrist
force-pushed
the
tt-route-transition
branch
from
272ffe5 to
8373cb1
Compare
|
@schiller-manuel Updated with an integration into the existing CSP test. The checked in test results show the general issue (client-side script creation after hydration). |
|
|
||
| declare const trustedTypes: any | ||
|
|
||
| const tanStackPolicy: TanStackPolicy = { |
There was a problem hiding this comment.
NOTE: This policy should really be locked down, at least to some extent. E.g. createHTML shouldn't just bless any string when its purpose is to bless static strings like ''.
1 participant
Currently
@tanstack/react-startfails during route transitions when trusted types are enabled. This makes it impossible to use it with strict CSPs that enable all the "XSS-prevention bells and whistles".