-
Notifications
You must be signed in to change notification settings - Fork 261
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoiding inline script tag in built index.html #288
Comments
That's a good point. I gave this a try by just appending the I think a good place for this setting would be the special HTML link: <!DOCTYPE html>
<html lang="en">
<head>
<link data-trunk rel="rust" data-no-inline>
<!-- ^ new option here -->
</head>
<body>
</body>
</html> If that is set, we simply append the call to the |
Is the additional attribute required? I'd argue that putting |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
Since I care a great deal about proper CSP headers, I'm going to poke this to ward off the bot. If it's been fixed, let a human actively close it. |
@ssokolow Honestly I am not sure what the state is. If you know more, maybe you could re-evaluate this. And of course: PRs welcome :) |
@ctron now that #8 is working the main reason for it to fail with <script type="module">
import init, * as bindings from '/app-ui-ca21138b3c5c8d36.js';
const wasm = await init('/app-ui-ca21138b3c5c8d36_bg.wasm');
window.wasmBindings = bindings;
dispatchEvent(new CustomEvent("TrunkApplicationStarted", {detail: {wasm}}));
</script> Setting a In my server project I parse the html file and extract the I have created a PR for this #809 |
Can we reopen this please? https://developer.chrome.com/docs/extensions/reference/manifest/content-security-policy#extension_pages_policy I want to use this for Chrome Extensions and there inline scripts are not allowed, not even with nonces. |
I have a horrible hack hook:
|
It would be great if it was possible to avoid having the
part of the html in a separate file and load it as a module, similar to React's
INLINE_RUNTIME_CHUNK=false
This is so allowing script-src 'unsafe-inline' can be avoided when setting Content Security Policy headers.
The text was updated successfully, but these errors were encountered: