Replace unsafe-inline with CSP nonces for script-src
SvelteKit now handles script-src with automatic nonces via its built-in CSP support. The hooks handler merges extra directives (style-src, font-src, img-src, etc.) onto SvelteKit's nonce-based policy for page responses, and sets a full CSP for API responses. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -8,6 +8,12 @@ const config = {
|
||||
$components: 'src/lib/components',
|
||||
$server: 'src/lib/server',
|
||||
$utils: 'src/lib/utils'
|
||||
},
|
||||
csp: {
|
||||
directives: {
|
||||
'default-src': ['self'],
|
||||
'script-src': ['self']
|
||||
}
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user