Update overlay.ts to support CSP require-trusted-types-for #15850
Labels
Comments
|
I'm also happy to write the Trusted Types conversion for this as I've got an environment set up to test this on already, but am going to hold off doing so until maintainers give me a +1 to do so |
|
I agree with you here. This is for internal code so we should be fine here. It is different than with the template. At the risk of making you do work again that we don't end up merging, I think the best is to send the PR so we can discuss with the change in the table. |
|
Will do, and no problem writing more code! Would you prefer the Trusted Types solution or the DOM method solution? |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
Similar to #15686,
overlay.tsusesinnerHTML(vite/packages/vite/src/client/overlay.ts
Line 180 in b2873ac
innerHTMLisn't compatible withrequire-trusted-types-for, so this fails.Suggested solution
I think the easiest solution here is turning the template (
vite/packages/vite/src/client/overlay.ts
Line 11 in b2873ac
innerHTMLcall for the template if TTs are available, too.Alternative
The other alternative is converting this to DOM creation calls and appending it to the DOM, but per my proposed solution to #15686, I'm assuming that's not a likely solution that y'all are interested in adopting.
Additional context
This can be tested now by following my steps in #15686 (comment) and forcing Vite to throw an error.
I did a quick search of the codebase and this was the only core file that I found that used
innerHTML, but it's possible there are other cases where this would throw for the CSP that I'm not otherwise aware of. I'd also recommend adding into the Vite coding style guide to avoidinnerHTMLin core code shipped to browsers.Validations
The text was updated successfully, but these errors were encountered: