Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: page response missing CSP and Link headers when return promise in load #12418

Merged
merged 4 commits into from
Oct 10, 2024
Merged

fix: page response missing CSP and Link headers when return promise in load #12418

merged 4 commits into from
Oct 10, 2024

Conversation

0x221A
Copy link
Contributor

@0x221A 0x221A commented Jun 29, 2024
edited by eltigerchino
Loading

closes #11801

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

  • Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jun 29, 2024
edited
Loading

🦋 Changeset detected

Latest commit: c8eb682

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@darg-2036

This comment was marked as duplicate.

Sign in to view
@eltigerchino
Copy link
Member

eltigerchino commented Oct 10, 2024
edited
Loading

Thank you for the PR. I think it's good to merge, but is it possible if we add some kind of test such as one that checks that the CSP headers are included in the server response? Maybe as an additional test in this test suite:

kit/packages/kit/test/apps/options/test/test.js

Lines 115 to 139 in 6f273fb

test.describe('CSP', () => {
test('blocks script from external site', async ({ page, start_server }) => {
const { port } = await start_server((req, res) => {
if (req.url === '/blocked.js') {
res.writeHead(200, {
'content-type': 'text/javascript'
});
res.end('window.pwned = true');
} else {
res.writeHead(404).end('not found');
}
});
await page.goto(`/path-base/csp?port=${port}`);
expect(await page.evaluate('window.pwned')).toBe(undefined);
});
test("quotes 'script'", async ({ page }) => {
const response = await page.goto('/path-base');
expect(response.headers()['content-security-policy']).toMatch(
/require-trusted-types-for 'script'/
);
});
});

@eltigerchino eltigerchino added the bug Something isn't working label Oct 10, 2024
@0x221A
Copy link
Contributor Author

0x221A commented Oct 10, 2024

@eltigerchino sure!

@eltigerchino eltigerchino merged commit 6f9aefd into sveltejs:main Oct 10, 2024
12 checks passed
@eltigerchino
Copy link
Member

Thank you so much!

@github-actions github-actions bot mentioned this pull request Oct 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eltigerchino eltigerchino eltigerchino approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Streaming disables CSP silently
3 participants
@0x221A @darg-2036 @eltigerchino