feat: experimental CSP docs #11736
feat: experimental CSP docs #11736
Conversation
✅ Deploy Preview for astro-docs-2 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Lunaria Status Overview🌕 This pull request will trigger status changes. Learn moreBy default, every PR changing files present in the Lunaria configuration's You can change this by adding one of the keywords present in the Tracked Files
Warnings reference
|
ematipico
added
the
add new content
sarah11918
added
the
merge-on-release
|
That's huge, cool and elegant solution that covers 90% of my needs. Great job @ematipico! I will use your solution for google analytics, comments and styles. And Zaraz for the rest (which is ad placement, cause those are added on top of a built website and need nonces). |
sarah11918
added
the
minor-release
|
|
||
| Enables support for [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) to help minimize certain types of security threats by controlling which resources a document is allowed to load. This provides additional protection against [cross-site scripting (XSS)](https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting) attacks. | ||
|
|
||
| Enabling this feature adds additional security to Astro's handling of processed and bundled scripts and styles by default, and is further configurable for more control over these, and additional, content types. |
There was a problem hiding this comment.
This feature doesn't support things like inline scripts, so I wonder if this phrase is clear enough to tell the user that this feature doesn't cover them
| <Since v="5.9.0" /> | ||
| </p> | ||
|
|
||
| A list of valid sources for the `script-src` and `style-src` directives. |
There was a problem hiding this comment.
If possible, I would like to keep the word "resources" because that's how MDN calls them
There was a problem hiding this comment.
| A list of valid sources for the `script-src` and `style-src` directives. | |
| A list of valid resources for the `script-src` and `style-src` directives. |
We can do this! But I did check that MDN does define a resource as a "valid source" which is why I used it -- the only thing I was trying to avoid here was an "unhelpful" definition, like "Resources are resources" (Ideally, we don't define something with the EXACT same word.) But, it's true that our resources property is a list of resources, and we'll review all these docs again when they become stable, so we'll see if these have worked fine as is!
Are there any uses of the word "source" in the rest of this section that you think should be changed to "resource"?
There was a problem hiding this comment.
resource as a "valid source"
I must have missed that. No worries, it's just a nit. As long as users understand that, I'm fine :)
Co-authored-by: Sarah Rainsberger <[email protected]>
Description (required)
This PR adds a new page under the experimental section that documents the upcoming CSP support.
For Astro version:
5.9.0. See astro PR #13802.I leave here the link to RFC too: https://github.com/withastro/roadmap/blob/feat/rfc-csp/proposals/0055-csp.md