Skip to content

fix: remove unncessary guards that require CSP privilege when removing event attributes #15846

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: remove unncessary guards that require CSP privilege when removing event attributes #15846

wants to merge 2 commits into from
+7 −6

Conversation

ryanatkn
Copy link
Contributor

@ryanatkn ryanatkn commented Apr 29, 2025
edited
Loading

In the client code replay_events, accessing dom.onload and dom.onerror causes CSP violations without unsafe-inline for script-src-attr or script-src. Fortunately the guards are unnecessary because Element.removeAttribute is a no-op when it doesn't exist (MDN), so it's straightforward cleanup that shaves bytes regardless of the CSP behavior.

Reproduction - https://github.com/ryanatkn/svelte-reproduction-csp-inline-script in this commit

From what I can tell, this partially addresses a couple of issues but doesn't close them - it only silences the problems when the handlers are not added (they're included for SSR, see here), but when present you still get errors. Specifically the repro in #14014 stops erroring with this fix (as does mine) but the repro in #14270 which looks like a duplicate continues to have one of the two errors, caused by the presence of onload and onerror. (not their detection as this PR addresses)

This may be related to some SvelteKit issues like htps://github.com/sveltejs/kit/issues/11747 but I didn't see any that could be fully closed by it, it doesn't address the root cause.

svelte-screen

Before submitting the PR, please make sure you do the following

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • Prefix your PR title with feat:, fix:, chore:, or docs:.
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.
  • If this PR changes code within packages/svelte/src, add a changeset (npx changeset).

Tests and linting

  • Run the tests with pnpm test and lint the project with pnpm lint

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Apr 29, 2025

🦋 Changeset detected

Latest commit: 5428af5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
svelte Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions GitHub Actions
Copy link
Contributor

Playground

pnpm add https://pkg.pr.new/svelte@15846

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ryanatkn