Replies: 1 comment 2 replies
-
|
@fredkzk not a bug, but definitely a footgun. when the browser receives two separate the fix is to modify fresh's built-in CSP config instead of adding a separate header. use the // routes/_app.tsx
import { useCSP } from "$fresh/runtime.ts";
export default function App(req: Request, ctx: FreshContext) {
useCSP((csp) => {
csp.directives.imgSrc = [
"'self'",
"https://firebasestorage.googleapis.com",
"data:",
];
});
return <ctx.Component />;
}this modifies the existing CSP header rather than creating a second one. the key takeaway: never set a raw ref: fresh CSP docs |
Beta Was this translation helpful? Give feedback.
-
|
Hey, thanks for the insights. Did you mean this? |
Beta Was this translation helpful? Give feedback.
-
|
@fredkzk good catch, you're right. the new approach is middleware-based using import { App } from "fresh";
import { csp } from "fresh";
const app = new App()
.use(csp({
csp: [
"default-src 'self'",
"script-src 'self' 'unsafe-inline'",
],
}));it applies app-wide instead of per-route, and takes declarative string directives instead of the old callback-mutation style. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
When I want to enable images from firebase
"img-src 'self' https://firebasestorage.googleapis.com data:",my directive becomes a duplicate of the default one"img-src 'self' data:"as seen in the headers.And it refuses to be loaded: violates the following Content Security Policy directive: "img-src 'self' data:"
Is that a big beautiful bug?
Beta Was this translation helpful? Give feedback.
All reactions