vite-ssg 生成 inline script 产生的问题 #49

tshemeng · 2021-06-02T02:03:18Z

我使用vite-ssg生成.html，然后打包为浏览器扩展，在feat: Add Initial State这个commit之后，vite-ssg会在生成的.html文件末尾插入一段inline script，这会触发浏览器CSP错误，因为浏览器认为扩展中存在inline script是不安全的，是否可以添加选项选择是否启用这个特性呢

<script>window.__INITIAL_STATE__ = "{}"</script>

The text was updated successfully, but these errors were encountered:

antfu · 2021-06-02T03:06:57Z

Yeah, PR welcome! /cc @pantajoe

BTW, @tshemeng it will be great if you can use English next time, so ppl could help and discuss easier

pantajoe · 2021-06-26T10:09:48Z

I have much on my plate right now, but I guess I can do it in the next few weeks if no one does it before me 😄 Just an idea: Maybe it's a good idea not to inline this into the app.html, but rather as an additional initial-state.js script that is required on every generated page?
This way, we do not a feature flag for this.

pantajoe · 2021-07-10T08:21:51Z

@antfu @tshemeng I created a PR #67. It extracts the initialState script to an asset file and avoid the inline script. As I mentioned earlier, this should both prevent a feature flag to toggle the initialState feature and respect CSP.

antfu added the pr welcome label Jun 2, 2021

pantajoe linked a pull request Jul 10, 2021 that will close this issue

feat: Extract initialState to asset to respect CSP #67

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

vite-ssg 生成 inline script 产生的问题 #49

vite-ssg 生成 inline script 产生的问题 #49

tshemeng commented Jun 2, 2021

antfu commented Jun 2, 2021

pantajoe commented Jun 26, 2021

pantajoe commented Jul 10, 2021

vite-ssg 生成 inline script 产生的问题 #49

vite-ssg 生成 inline script 产生的问题 #49

Comments

tshemeng commented Jun 2, 2021

antfu commented Jun 2, 2021

pantajoe commented Jun 26, 2021

pantajoe commented Jul 10, 2021