Update create-vite Vanilla and Vanilla TS to support CSP require-trusted-types-for #15686
Comments
|
I'm just guessing that it won't make a difference until PR #14653 is updated and merged. Current Dev mode doesn't support CSP |
|
(@ghiscoding for most users, probably, but you can run into this issue with IWAs today, which is my usecase. Instructions for trying that out are below) If anyone would like to try this with an IWA, here are the steps to set up Vite to use as a dev server for an Isolated Web App: tl;dr You need to set Vite up to run in HTTPS with verified (i.e. not self-signed) certificates, force the dev server and the HMR connection to use the same host and port, include a
server: {
port: 5193,
strictPort: true,
https: {
key: fs.readFileSync('./certs/localhost-key.pem'),
cert: fs.readFileSync('./certs/localhost.pem'),
},
hmr: {
protocol: 'wss',
host: 'localhost',
clientPort: 5193,
}
},
{
"id": "/",
"short_name": "Test IWA",
"name": "Test IWA",
"version": "0.0.1",
"icons": [
{
"src": "images/icon.png",
"type": "image/png",
"sizes": "512x512",
"purpose": "any maskable"
}
],
"start_url": "/",
"display": "standalone",
"scope": "/",
"isolated_storage": true,
"permissions_policy": {
"cross-origin-isolated": ["self"]
}
}On the latest Chrome Beta, Dev, or Canary channel, enable the |
|
Thanks for the detailed explanation @Snugug! I think we should update the Vanilla starters. Are you planing to work on a PR too to do this? Or should we add that to our queue? |
patak-dev
added
enhancement
I'm happy to make a PR for it. Do you have a preferred solution for generating the app scaffolding? If not, I'll go the create element route. |
|
@patak-dev can the PR #14653 also be added back to a higher queue? I thought it was going to be relooked into after v5 shipped, but there's no update since it was opened last October and CSP is more and more required by the business since security is a hot topic these days |
Awesome! Creating an element sounds good to me 👍🏼 |
|
Done! PR open! |
We have discussed it in some meetings, and sapphi made a lot of progress there. Let's use that PR to discuss. We all believe that it should be merged. |
|
|
Closing as we decided in the last team meeting to keep the vanilla templates as minimal as possible. See comment here: #15689 (comment) |
Description
The Content Security Policy (CSP)
require-trusted-types-fordisallows directinnerHTMLusage. Both the Vanilla JS and Vanilla TS starters useinnerHTMLto set up their app's initial HTML structure frommain.(js|ts)and set the value of the counter when clicked fromcounter.(js|ts). Because of this, both of these starters throw errors and don't work with this CSP in place.While likely not a general problem for most Vite users, this does become a problem using these starters to test out Isolated Web Apps, in-progress standards proposal. IWAs require this CSP as part of their runtime experience, so trying to spin up a quick sample app with either of these project bases causes immediate errors.
Suggested solution
coutner.(js|ts), replace theinnerHTMLwithtextContent. This works under that CSP and is the more appropriate property to be usingmain.(js|ts), either implement a sampletrustedTypespolicy (as shown in the MDN page above), update the code to usecreateElementcalls and append them as needed, or write the HTML directly toindex.htmlinstead of injecting it through JavaScriptAlternative
I'd considered suggesting adding an IWA starter, which may be useful down the line, but I don't think is needed right now, especially as these two changes will benefit everyone.
Additional context
No response
Validations
The text was updated successfully, but these errors were encountered: