fix(refactor): use csp_nonce_html_transformer library #96
Conversation
✅ Deploy Preview for csp-nonce ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
JakeChampion
force-pushed
the
jake/library
branch
from
8bb7892
to
2e6c482
Compare
There was a problem hiding this comment.
In addition to the inline comments, a few other questions:
- The main issue we're experiencing with the CSP extension right now is crashes at runtime; can you explain how this PR addresses that problem? Were you able to repro the problem and confirm that this changeset fixes it?
- The CSP extension/plugin are one of our most used extensions/plugins; given how large a set of changes this is, what's our testing/rollout strategy for these changes?
- Can you add the @netlify/composable-platform team as an admin to the https://github.com/netlify/csp_nonce_html_transformer repository?
There was a problem hiding this comment.
In addition to the inline comments, a few other questions:
- The main issue we're experiencing with the CSP extension right now is crashes at runtime; can you explain how this PR addresses that problem? Were you able to repro the problem and confirm that this changeset fixes it?
- The CSP extension/plugin are one of our most used extensions/plugins; given how large a set of changes this is, what's our testing/rollout strategy for these changes?
- Can you add the @netlify/composable-platform team as an admin to the https://github.com/netlify/csp_nonce_html_transformer repository?
|
@ndhoule unfortunately I don't have admin rights on https://github.com/netlify/csp_nonce_html_transformer/ - I think right now only Netlify GitHub Owners are admins... @eduardoboucas I see you are an owner, would you be able to add @netlify/composable-platform team as an admin to the https://github.com/netlify/csp_nonce_html_transformer repository 🙏 |
JakeChampion
force-pushed
the
jake/library
branch
from
0c5d56e
to
2e6c482
Compare
Yes, the library uses a custom build of lol-html to wasm, specifically it uses a version which does not use asyncify, and asyncify was the cause of the crashes from what we could see in the logs - I've deployed this plugin to test sites which have pages of large (13MB+) html and pages of HTML which customers saw issues with, all those are behaving correctly for me, and I have given them a high load from a single POP and not seen any isolate crashes or errors thrown.
We can release the plugin as a prerelease at first, and deploy it to some site that we own which get medium-to-large traffic, and then eventually promote it to a full release. Once at a full release, we would update the extension to use it. |
JakeChampion
force-pushed
the
jake/library
branch
3 times, most recently
from
b19630e
to
fb0a77a
Compare
csp_nonce_html_transformer internally has a custom non-asyncify wasm build of lol-html which only includes the setAttribute method, as that is all that is needed to add nonce attributes to elements. This reduces the wasm size by ~70%. It is also using the latest v2.0.0 of lol-html. csp_nonce_html_transformer is a standalone library for Deno which takes in a Response instance and will add CSP directives to the configured CSP header and will add nonce attributes to the response body.
JakeChampion
force-pushed
the
jake/library
branch
from
fb0a77a
to
f696b08
Compare
csp_nonce_html_transformer internally has a custom non-asyncify wasm build of lol-html which only includes the setAttribute method, as that is all that is needed to add nonce attributes to elements. This reduces the wasm size by ~70%. It is also using the latest v2.0.0 of lol-html.
csp_nonce_html_transformer is a standalone library for Deno which takes in a Response instance and will add CSP directives to the configured CSP header and will add nonce attributes to the response body.