#Can strict CSP interfere with Astro Actions?

1 messages · Page 1 of 1 (latest)

runic carbon Dec 29, 2024, 8:30 PM

Heya! Do on-demand pages ship scripts that I need to configure in the Content Security Policy? Currently I am using:

output:"server",
Astro Actions for comment submission,
Netlify adapter.

My strict CSP includes only hash for google analytics:
Content-Security-Policy: script-src 'sha256-{HASHED_INLINE_SCRIPT}' 'strict-dynamic' https: 'unsafe-inline'; object-src 'none'; base-uri 'none';

strange cargo Dec 29, 2024, 9:16 PM

By default, Astro ships 0 JS. If you have something like Astro's view transitions (not the browser ones!), that's gonna use scripts. Same goes for server islands, they also have a bit of js, but the latter one is inlined within the HTML so I'm not sure that applies here