You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to have support for CSP nonces in the Miniflare server with live reload:
When running Miniflare with liveReload: true, it injects a script to reload the browser when the code changes.
When the worker returns a Content-Security-Policy with a nonce, however, the browser cannot load the live reload script because it doesn't include the required nonce.
The nonce changes in every request so it can't be added statically. The fix would be adding the following code around here.
That ensures that the nonce is added to the script for every request.
After that, there's still another issue with the WS connection to the loopback server port, which might not be added to the CSP. This issue however might be harder to fix and perhaps the solution should be in userland to add connect-src: ws://localhost:* to ensure it covers the loopback server port...
Alternatively, connecting to 'self' (i.e. without specifying a port) to an obfuscated pathname and proxying that in the entry worker to the loopback server might work without changing user code 馃
Thoughts?
The text was updated successfully, but these errors were encountered:
Describe the solution
Hi 馃憢
I would like to have support for CSP nonces in the Miniflare server with live reload:
When running Miniflare with
liveReload: true
, it injects a script to reload the browser when the code changes.When the worker returns a Content-Security-Policy with a nonce, however, the browser cannot load the live reload script because it doesn't include the required nonce.
The nonce changes in every request so it can't be added statically. The fix would be adding the following code around here.
That ensures that the nonce is added to the script for every request.
After that, there's still another issue with the WS connection to the loopback server port, which might not be added to the CSP. This issue however might be harder to fix and perhaps the solution should be in userland to add
connect-src: ws://localhost:*
to ensure it covers the loopback server port...Alternatively, connecting to
'self'
(i.e. without specifying a port) to an obfuscated pathname and proxying that in the entry worker to the loopback server might work without changing user code 馃Thoughts?
The text was updated successfully, but these errors were encountered: