Skip to content

Commit

Permalink
fix(cspNonce): don't overwrite existing nonce values (#16415)
Browse files Browse the repository at this point in the history
  • Loading branch information
thebanjomatic authored Apr 18, 2024
1 parent 6cccef7 commit b872635
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 9 deletions.
23 changes: 14 additions & 9 deletions packages/vite/src/node/plugins/html.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1180,24 +1180,29 @@ export function injectNonceAttributeTagHook(
return
}

const { nodeName, attrs, sourceCodeLocation } = node

if (
node.nodeName === 'script' ||
(node.nodeName === 'link' &&
node.attrs.some(
nodeName === 'script' ||
(nodeName === 'link' &&
attrs.some(
(attr) =>
attr.name === 'rel' &&
parseRelAttr(attr.value).some((a) => processRelType.has(a)),
))
) {
// If we already have a nonce attribute, we don't need to add another one
if (attrs.some(({ name }) => name === 'nonce')) {
return
}

const startTagEndOffset = sourceCodeLocation!.startTag!.endOffset

// if the closing of the start tag includes a `/`, the offset should be 2 so the nonce
// is appended prior to the `/`
const appendOffset =
html[node.sourceCodeLocation!.startTag!.endOffset - 2] === '/' ? 2 : 1
const appendOffset = html[startTagEndOffset - 2] === '/' ? 2 : 1

s.appendRight(
node.sourceCodeLocation!.startTag!.endOffset - appendOffset,
` nonce="${nonce}"`,
)
s.appendRight(startTagEndOffset - appendOffset, ` nonce="${nonce}"`)
}
})

Expand Down
14 changes: 14 additions & 0 deletions playground/csp/__tests__/csp.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,20 @@ test('dynamic js', async () => {
)
})

test('inline js', async () => {
await expectWithRetry(() => page.textContent('.inline-js')).toBe(
'inline-js: ok',
)
})

test('nonce attributes are not repeated', async () => {
const htmlSource = await page.content()
expect(htmlSource).not.toContain(/nonce=""[^>]*nonce=""/)
await expectWithRetry(() => page.textContent('.double-nonce-js')).toBe(
'double-nonce-js: ok',
)
})

test('meta[property=csp-nonce] is injected', async () => {
const meta = await page.$('meta[property=csp-nonce]')
expect(await (await meta.getProperty('nonce')).jsonValue()).not.toBe('')
Expand Down
10 changes: 10 additions & 0 deletions playground/csp/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,13 @@
<p class="dynamic">dynamic</p>
<p class="js">js: error</p>
<p class="dynamic-js">dynamic-js: error</p>
<p class="inline-js">inline-js: error</p>
<p class="double-nonce-js">double-nonce-js: error</p>
<script>
document.querySelector('.inline-js').textContent = 'inline-js: ok'
</script>
<script nonce="#$NONCE$#">
// this test case is to ensure that the nonce isn't being
// double-applied if an existing attribute is present.
document.querySelector('.double-nonce-js').textContent = 'double-nonce-js: ok'
</script>

0 comments on commit b872635

Please sign in to comment.