This repository was archived by the owner on Mar 14, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
CSP
Sam Thorogood edited this page Oct 14, 2021
·
3 revisions
The CSP policy is mostly implemented here.
This section inlines a number of built-in scripts as well as any inlineScripts found in a page's front matter.
- Any script that is run inlined on the site's HTML is passed through a
cspHashfilter - That filter eventually writes out to a file
- That file is read and combined as part of generating the "firebase.json" config file
- Firebase will send back those headers in response to any request (not just for the specific page which uses a single script) to web.dev.
- Browsers will see that list of CSP hashes and know that those specific scripts are safe.
We set the CSP "strict-dynamic" keyword which allows external scripts included by an authorized script to run. See MDN for more information.
These are scripts indicated by pageScripts in a page's front matter.
Specifically, this means that those pageScripts do not need to be hashed.