Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSP Injects Incorrectly on Elements Without Closing Tag #16281

Closed
7 tasks done
gregtwallace opened this issue Mar 26, 2024 · 0 comments · Fixed by #16282
Closed
7 tasks done

CSP Injects Incorrectly on Elements Without Closing Tag #16281

gregtwallace opened this issue Mar 26, 2024 · 0 comments · Fixed by #16282
Labels
p3-minor-bug An edge case that only affects very specific usage (priority)

Comments

@gregtwallace
Copy link
Contributor

Describe the bug

Recently Content Security Policy (CSP) support was added (see: #16052). However, the injection process behaves incorrectly on elements that do not have a closing tag.

For example:
<link rel="stylesheet" href="/roboto.css" />

Becomes this with the current CSP injection behavior:
<link rel="stylesheet" href="/roboto.css" / nonce="abc123">

But it should become:
<link rel="stylesheet" href="/roboto.css" nonce="abc123"/>

This is caused by an offset in the injection function being statically set to 1.

Reproduction

https://github.com/gregtwallace/legocerthub-frontend

Steps to reproduce

Set the following in the vite config:

html: {
    cspNonce: '{SERVER-CSP-NONCE}',
  },

Add a stylesheet link to the index.html file:

<link rel="stylesheet" href="/fonts/roboto.css" />

Run npx vite open the app in a browser, and view the source code that is served.

System Info

System:
    OS: Windows 11 10.0.22631
    CPU: (16) x64 AMD Ryzen 7 7800X3D 8-Core Processor
    Memory: 44.68 GB / 63.21 GB
  Binaries:
    Node: 18.17.0 - C:\Program Files\nodejs\node.EXE
    npm: 10.2.3 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Edge: Chromium (122.0.2365.92)
    Internet Explorer: 11.0.22621.1
  npmPackages:
    @vitejs/plugin-react-swc: ^3.6.0 => 3.6.0
    vite: ^5.2.6 => 5.2.6

Used Package Manager

npm

Logs

No response

Validations

@sapphi-red sapphi-red linked a pull request Mar 29, 2024 that will close this issue
@sapphi-red sapphi-red added the p3-minor-bug An edge case that only affects very specific usage (priority) label Mar 29, 2024
patak-dev pushed a commit that referenced this issue Mar 31, 2024
patak-dev pushed a commit that referenced this issue Apr 5, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Apr 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
p3-minor-bug An edge case that only affects very specific usage (priority)
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants