Skip to content

Commit a029866

Browse files
wmertenswmertens
committed
fix(ssr): add nonces for strict-dynamic csp
1 parent a6f9d5c commit a029866

File tree

3 files changed

+20
-8
lines changed

3 files changed

+20
-8
lines changed

.changeset/young-groups-open.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
'@builder.io/qwik': patch
3+
---
4+
5+
fix: SSR was missing some places with nonce for CSP. Now CSP should work even when strict-dynamic

packages/qwik/src/server/preload-impl.ts

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -66,12 +66,13 @@ export const preloaderPre = (
6666
* We add modulepreloads even when the script is at the top because they already fire during
6767
* html download
6868
*/
69-
jsx('link', { rel: 'modulepreload', href: preloaderPath }),
69+
jsx('link', { rel: 'modulepreload', href: preloaderPath, nonce }),
7070
jsx('link', {
7171
rel: 'preload',
7272
href: bundleGraphPath,
7373
as: 'fetch',
7474
crossorigin: 'anonymous',
75+
nonce,
7576
}),
7677
jsx('script', {
7778
type: 'module',
@@ -84,7 +85,7 @@ export const preloaderPre = (
8485

8586
const corePath = simplifyPath(base, resolvedManifest?.manifest.core);
8687
if (corePath) {
87-
beforeContent.push(jsx('link', { rel: 'modulepreload', href: corePath }));
88+
beforeContent.push(jsx('link', { rel: 'modulepreload', href: corePath, nonce }));
8889
}
8990
};
9091

packages/qwik/src/server/render.ts

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@ export async function renderToStream(
4848
const firstFlushTimer = createTimer();
4949
const buildBase = getBuildBase(opts);
5050
const resolvedManifest = resolveManifest(opts.manifest);
51+
const nonce = opts.serverData?.nonce;
5152
function flush() {
5253
if (buffer) {
5354
nativeStream.write(buffer);
@@ -123,16 +124,21 @@ export async function renderToStream(
123124
let didAddQwikLoader = false;
124125
if (includeMode !== 'never' && qwikLoaderChunk) {
125126
beforeContent.unshift(
126-
jsx('link', { rel: 'modulepreload', href: `${buildBase}${qwikLoaderChunk}` }),
127+
jsx('link', {
128+
rel: 'modulepreload',
129+
href: `${buildBase}${qwikLoaderChunk}`,
130+
nonce,
131+
}),
127132
jsx('script', {
128133
type: 'module',
129134
async: true,
130135
src: `${buildBase}${qwikLoaderChunk}`,
136+
nonce,
131137
})
132138
);
133139
didAddQwikLoader = true;
134140
}
135-
preloaderPre(buildBase, resolvedManifest, opts.preloader, beforeContent, opts.serverData?.nonce);
141+
preloaderPre(buildBase, resolvedManifest, opts.preloader, beforeContent, nonce);
136142

137143
const renderTimer = createTimer();
138144
const renderSymbols: string[] = [];
@@ -161,7 +167,7 @@ export async function renderToStream(
161167
jsx('script', {
162168
type: 'qwik/json',
163169
dangerouslySetInnerHTML: escapeText(jsonData),
164-
nonce: opts.serverData?.nonce,
170+
nonce,
165171
})
166172
);
167173
if (snapshotResult.funcs.length > 0) {
@@ -170,7 +176,7 @@ export async function renderToStream(
170176
jsx('script', {
171177
'q:func': 'qwik/json',
172178
dangerouslySetInnerHTML: serializeFunctions(hash, snapshotResult.funcs),
173-
nonce: opts.serverData?.nonce,
179+
nonce,
174180
})
175181
);
176182
}
@@ -188,7 +194,7 @@ export async function renderToStream(
188194
async: true,
189195
type: 'module',
190196
dangerouslySetInnerHTML: qwikLoaderScript,
191-
nonce: opts.serverData?.nonce,
197+
nonce,
192198
})
193199
);
194200
}
@@ -200,7 +206,7 @@ export async function renderToStream(
200206
children.push(
201207
jsx('script', {
202208
dangerouslySetInnerHTML: content,
203-
nonce: opts.serverData?.nonce,
209+
nonce,
204210
})
205211
);
206212
}

0 commit comments

Comments
 (0)