Skip to content

Add strict CSP example#1903

Merged
atilafassina merged 2 commits intosolidjs:mainfrom
amirhhashemi:feat/add-strict-csp-example
Aug 5, 2025
Merged

Add strict CSP example#1903
atilafassina merged 2 commits intosolidjs:mainfrom
amirhhashemi:feat/add-strict-csp-example

Conversation

@amirhhashemi
Copy link
Contributor

@amirhhashemi amirhhashemi commented Jun 8, 2025
edited
Loading

This PR adds an example demonstrating how to implement a strict CSP with a nonce. I created the project with the Solid CLI using the bare template and added CSP.

@netlify
Copy link

netlify bot commented Jun 8, 2025
edited
Loading

Deploy Preview for solid-start-landing-page ready!

Name Link
🔨 Latest commit 4a33ee6
🔍 Latest deploy log https://app.netlify.com/projects/solid-start-landing-page/deploys/6891cc83c3d1bc000863b4b9
😎 Deploy Preview https://deploy-preview-1903--solid-start-landing-page.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

amirhhashemi
amirhhashemi commented Jun 8, 2025
View reviewed changes
atilafassina
atilafassina requested changes Jun 19, 2025
View reviewed changes
Copy link
Member

@atilafassina atilafassina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry about the delay reviewing it.
2 minor questions/suggestions.

examples/with-strict-csp/src/middleware.ts Outdated
// For more details, see: https://vite.dev/config/build-options.html#build-assetsinlinelimit
const csp = `
default-src 'self';
script-src 'nonce-${nonce}' 'strict-dynamic' 'unsafe-eval';
Copy link
Member

@atilafassina atilafassina Jun 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't unsafe-eval be present only in development builds?
and nonce only in production?

Copy link
Contributor Author

@amirhhashemi amirhhashemi Jun 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't unsafe-eval be present only in development builds?

I believe Seroval uses eval in production too, though I haven't tested it myself.

and nonce only in production?

Yeah, it's kind of optional. I always use nonce in development to make sure everything is set up correctly. But I guess that can be annoying.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Jun 19, 2025
edited
Loading

More templates

npm i https://pkg.pr.new/@solidjs/start@1903

commit: 4a33ee6

@changeset-bot
Copy link

changeset-bot bot commented Jun 25, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 4a33ee6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@amirhhashemi
Copy link
Contributor Author

amirhhashemi commented Jun 25, 2025

I tried to address the mentioned concerns, but also made some small changes. So please review carefully.

@atilafassina atilafassina force-pushed the feat/add-strict-csp-example branch from 46431b9 to 4a33ee6 Compare August 5, 2025 09:18
@atilafassina atilafassina enabled auto-merge (squash) August 5, 2025 09:19
atilafassina
atilafassina approved these changes Aug 5, 2025
View reviewed changes
Copy link
Member

@atilafassina atilafassina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🏆 thank you for the work and the patience!

@atilafassina atilafassina merged commit 293c404 into solidjs:main Aug 5, 2025
9 checks passed
@amirhhashemi amirhhashemi deleted the feat/add-strict-csp-example branch August 5, 2025 15:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@atilafassina atilafassina atilafassina approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amirhhashemi @atilafassina