Conversation
|
| * - [Astro's view transitions](https://v6.docs.astro.build/en/guides/view-transitions/) using the `<ClientRouter />` are not supported, but you can [consider migrating to the browser native View Transition API](https://events-3bg.pages.dev/jotter/astro-view-transitions/) instead if you are not using Astro's enhancements to the native View Transitions and Navigation APIs. | ||
| * - Shiki isn't currently supported. By design, Shiki functions using inline styles. | ||
| * - Shiki isn't currently supported. By design, Shiki functions use inline styles that cannot work with Astro CSP implementation. Consider [using `<Prism />`](https://v6.docs.astro.build/en/guides/syntax-highlighting/#prism-) when your project requires both CSP and syntax highlighting. | ||
| * - `unsafe-inline` directives can't work with how Astro implements CSP. |
There was a problem hiding this comment.
| * - `unsafe-inline` directives can't work with how Astro implements CSP. | |
| * - `unsafe-inline` directives are incompatible with Astro's CSP implementation. By default, Astro will emit hashes for all its bundled scripts (e.g. client islands) and all modern browsers will automatically reject `unsafe-inline` when it occurs in a directive with a hash or nonce. |
Does this sound OK? And, do you think the external link is helpful?
Updated to remove the link, and with a possible idea for a second sentence if you want one! (The first sentence on its own is complete. I'll leave it your call whether you'd also like a second sentence with more details! (You can also edit the sentence if it needs fixing!)
There was a problem hiding this comment.
Very direct. Yeah that works
And, do you think the external link is helpful?
Not really, it doesn't actually address the real reason why unsafe-inline doesn't work with Astro implementation.
here is briefly mentioned, but for nonce
If a directive contains a nonce and unsafe-inline, then the browser ignores unsafe-inline.
There was a problem hiding this comment.
OK, then I'll update my suggestion to remove the link! I'll put back your second line and you can decide whether you want that too, or just the first line!
There was a problem hiding this comment.
Unless we want to cite a source, I don't think a link is necessary (we're already summarizing the incompatibility) but if we want one:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy#hash_algorithm-hash_value this one contains the same line but for hashes
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP#inline_javascript talks about both nonce and hashes (for inline JS, nothing about inline styles)
Anyway, this looks good to me!
There was a problem hiding this comment.
I think we can start without links. I'll be on the lookout for issues on the matter, and if people asks, I will suggest the link. Is that reasonable?
Co-authored-by: Sarah Rainsberger <5098874+sarah11918@users.noreply.github.com>
Changes
Updates the configuration reference of CSP
Testing
N/A
Docs
/cc @withastro/maintainers-docs for feedback!