Open
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Enable Astro's experimental Content Security Policy support and remove the `is:inline` directive from the theme toggle script so Astro can generate a hash for it. Inline scripts bypass Astro's CSP pipeline and would be blocked by the policy. Co-Authored-By: Claude <noreply@anthropic.com>
cleptric
force-pushed
the
chore-enable-csp
branch
from
a932244 to
dbc81a2
Compare
geoffg-sentry
requested changes
Feb 19, 2026
geoffg-sentry
left a comment
geoffg-sentry
left a comment
There was a problem hiding this comment.
I'm not the best here, but I think we some scripts might get blocked when we throw on CSP. I think we gotta allow google fonts, probably some twitter resources too like
csp: {
styleDirective: {
resources: ["https://fonts.googleapis.com","https://platform.twitter.com"]
}
There's a script in BaseLayout.astro that is:inline so that's likely going to be blocked, but I don't think we can just remove it. Searching quickly and I think we add the hash ourselves with https://docs.astro.build/en/reference/experimental-flags/csp/#cspinsertscripthash
And I saw <script define:vars={{ listId }}> in PostList.astro but I'm not sure how to fix this one.
Replace Google Fonts with self-hosted JetBrains Mono woff2 files to avoid CSP style-src violations. Restore Plausible analytics and configure CSP to allow plausible.io as a script and connect source. Co-Authored-By: Claude <noreply@anthropic.com> Agent transcript: https://claudescope.sentry.dev/share/gIeOoKPtmvSR20aB5W9-5CwyNa8a0It-59Kkq7yGAP0
# Conflicts: # src/layouts/BaseLayout.astro Agent transcript: https://claudescope.sentry.dev/share/HHidFCLAyqosMWvILeD01szjKvwCbP0ez_ag1uzLkN4
Restore apple-touch-icon and manifest from main, remove nonexistent dark favicon. Co-Authored-By: Claude <noreply@anthropic.com>
Remove variable extraction for Plausible and footer color changes that were not part of the CSP work. Co-Authored-By: Claude <noreply@anthropic.com>
Scripts with is:inline bypass Astro's CSP hash generation, causing them to be blocked by the browser. Remove the directive so Astro can hash them properly. Co-Authored-By: Claude <noreply@anthropic.com>
The theme init script must run synchronously before paint to prevent a flash of wrong theme. Restore is:inline and add its SHA-256 hash to the CSP config so the browser allows it. Co-Authored-By: Claude <noreply@anthropic.com>
Astro drops processed scripts and ignores template conditionals for non-inline scripts. Keep all scripts as is:inline and add their SHA-256 hashes to the CSP config manually. Co-Authored-By: Claude <noreply@anthropic.com>
Astro drops processed scripts and ignores template conditionals for non-inline scripts. Keep all scripts as is:inline and add their SHA-256 hashes to the CSP config manually. Co-Authored-By: Claude <noreply@anthropic.com> Agent transcript: https://claudescope.sentry.dev/share/isudgKIPBCXKIyb63mFw83EiI1AoyMqGjXa-Vsww7ks
…ering into chore-enable-csp
Co-Authored-By: Claude <noreply@anthropic.com>
Replace inline style attribute with class:list/hidden to avoid style-src-attr CSP violation. Replace define:vars with data attribute and is:inline script to produce a stable hash. Co-Authored-By: Claude <noreply@anthropic.com>
Shiki syntax highlighting generates inline style attributes on code tokens which cannot be individually hashed. Add unsafe-inline to style-src. Restrict img-src to self. Co-Authored-By: Claude <noreply@anthropic.com>
No default-src is set, so omitting img-src leaves images unrestricted. The restriction would break external images in blog posts without meaningful security benefit. Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enable Astro's experimental Content Security Policy support for the site.
The
is:inlinedirective on the theme toggle script is removed so Astrocan hash it and include it in the CSP header. Inline scripts bypass
Astro's CSP pipeline and would be blocked by the policy.
See https://docs.astro.build/en/reference/experimental-flags/csp/