Skip to content

feat(core): nonce-based CSP for all HTML responses#1

Open
all3f0r1 wants to merge 2 commits into
mainfrom
feat/nonce-based-csp
Open

feat(core): nonce-based CSP for all HTML responses#1
all3f0r1 wants to merge 2 commits into
mainfrom
feat/nonce-based-csp

Conversation

@all3f0r1
Copy link
Copy Markdown
Owner

@all3f0r1 all3f0r1 commented Apr 22, 2026

Summary

  • Replace 'unsafe-inline' in CSP with per-request cryptographic nonces on all HTML responses (admin + public)
  • Generate nonce in runtime init middleware, propagate via locals.cspNonce + EmDashRequestContext.nonce (ALS)
  • Post-process final HTML to inject nonce= attributes into all <script>/<style> tags (idempotent regex, skips tags already having a nonce)
  • Set Content-Security-Policy header centrally in finalizeResponse for HTML responses
  • In dev mode, keep 'unsafe-inline' alongside the nonce for Vite HMR compatibility
  • Remove the old admin-only CSP from auth.ts middleware

Test plan

  • Verify admin UI loads and functions correctly in dev mode (Vite HMR)
  • Verify public pages render correctly
  • Check that CSP header is present on HTML responses with a valid nonce
  • Verify <script> and <style> tags in rendered HTML have nonce= attributes
  • Verify non-HTML responses (API JSON, images) are unaffected
  • Run existing test suite: pnpm test
  • Run typecheck: pnpm typecheck

🤖 Generated with Claude Code

@all3f0r1 @claude
feat(core): replace unsafe-inline CSP with per-request nonces
3f283b8 
Generate a cryptographic nonce per request in the runtime init
middleware and use it for script-src/style-src on all HTML responses
(admin + public). Post-process final HTML to inject nonce attributes
into any <script>/<style> tags that don't already have one.

In dev mode, 'unsafe-inline' is kept alongside the nonce for Vite HMR
compatibility. In production, strict nonce-only.

Removes the old admin-only CSP from auth middleware in favor of
centralized handling in finalizeResponse.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 22, 2026

PR template validation failed

Please fix the following issues by editing your PR description:

  • This PR does not use the required PR template. Please edit the description to use the PR template. Copy it into your PR description and fill out all sections.

See CONTRIBUTING.md for the full contribution policy.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 22, 2026


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

@all3f0r1 @claude
fix(admin): await field mutations before closing modal
01c0399 
The field editor modal was closing immediately after clicking save, before
the mutation completed. This caused the UI to not refresh and show no
feedback that the save succeeded. The data was saved to the DB, but the
user couldn't see the result.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 6, 2026

This PR has been inactive for 14 days. It will be closed automatically in 7 days if there is no further activity.

If you're still working on this, please push an update or leave a comment.

@github-actions github-actions Bot added stale and removed stale labels May 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/admin area/core cla: needed size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@all3f0r1