qwik: [šŸž] nonce is missing on scripts

Which component is affected?

Qwik City (routing)

Describe the bug

Iā€™m not sure what exactly this code is. It looks like something in qwik city.

These two tags are rendered in preview without a nonce.

    <script>
    (function() {
        const l = location
        , c = l.pathname + l.search
        , t = "_qCityPopstateFallback"
        , o = "_qCityHistory";
        window[t] || (window[t] = ()=>{
            window[o] || c === (l.pathname + l.search) || l.reload()
        }
        ,
        setTimeout(()=>{
            addEventListener("popstate", window[t])
        }
        , 0))
    }
    )();
</script>
<!--/qv-->
<!--/qv-->
<script q:key="1Z_0">
    ((s,a,i,r)=>{
        i = (e,t)=>{
            t = document.querySelector("[q\\:base]"),
            t && a.active && a.active.postMessage({
                type: "qprefetch",
                base: t.getAttribute("q:base"),
                ...e
            })
        }
        ,
        document.addEventListener("qprefetch", e=>{
            const t = e.detail;
            a ? i(t) : t.bundles && s.push(...t.bundles)
        }
        ),
        navigator.serviceWorker.register("/service-worker.js").then(e=>{
            r = ()=>{
                a = e,
                i({
                    bundles: s
                })
            }
            ,
            e.installing ? e.installing.addEventListener("statechange", t=>{
                t.target.state == "activated" && r()
            }
            ) : e.active && r()
        }
        ).catch(e=>console.error(e))
    }
    )([])
</script>

Reproduction

https://github.com/the-zimmermann/csp-nonce-issue

Steps to reproduce

Just run preview

Run a qwik app with a plugin middleware:

plugin@csp.ts

import type { RequestHandler } from '@builder.io/qwik-city';

export const onRequest: RequestHandler = (ev) => {
  const nonce = Date.now().toString(55);
  ev.sharedMap.set('@nonce', nonce);

  const csp = [
    `default-src 'self' 'unsafe-inline'`,
    `font-src 'self' `,
    `img-src 'self' `,
    `script-src 'strict-dynamic' 'unsafe-inline' 'nonce-${nonce}' `,
    `style-src 'self' 'unsafe-inline'`,
    `frame-src 'self' 'nonce-${nonce}'`,
    `object-src 'none'`,
    `base-uri 'self'`,
    `require-trusted-types-for 'script'`
  ];

  ev.headers.set(
    'Content-Security-Policy',
    csp.join('; ')
  );
};

System Info

Binaries:
    Node: 16.17.0 - /usr/local/bin/node
    Yarn: 1.22.19 - ~/.yarn/bin/yarn
    npm: 8.15.0 - /usr/local/bin/npm
  Browsers:
    Chrome: 113.0.5672.126
    Edge: 113.0.1774.57
    Firefox: 108.0.2
    Safari: 16.4
  npmPackages:
    @builder.io/qwik: ^1.1.4 => 1.1.4 
    @builder.io/qwik-city: ^1.1.4 => 1.1.4 
    undici: 5.22.0 => 5.22.0 
    vite: 4.3.3 => 4.3.3

Additional Information

No response

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 16 (16 by maintainers)

Most upvoted comments

@tzdesign is there a PR open for this change yet? I havent seen one.

Found it under the docs pr

+1
DustinJSilk on Jun 11, 2023
Read more comments on GitHub
← qwik: [šŸž] from create qwik latest, I can't make cloudflare-pages work since 1.2.14
qwik: [šŸž] Path Resolution Issue: '~/' Prefix Not Resolving Modules Properly →