fix(csp): CSP headers in development server (#14283)

ematipico · ascorbic · web-flow · commit 3224637eca5c · 2025-08-28T20:16:35.000+01:00
* fix(csp): CSP headers in development server

* Update packages/astro/src/core/render-context.ts

Co-authored-by: Matt Kane &lt;m@mk.gg&gt;

---------

Co-authored-by: Matt Kane &lt;m@mk.gg&gt;
diff --git a/.changeset/curly-laws-roll.md b/.changeset/curly-laws-roll.md
@@ -0,0 +1,5 @@
+---
+'astro': patch
+---
+
+Fixes an issue where CSP headers were incorrectly injected in the development server.
diff --git a/packages/astro/src/core/render-context.ts b/packages/astro/src/core/render-context.ts
@@ -59,6 +59,7 @@ export class RenderContext {
 		protected url = new URL(request.url),
 		public props: Props = {},
 		public partial: undefined | boolean = undefined,
+		public shouldInjectCspMetaTags = !!pipeline.manifest.csp,
 		public session: AstroSession | undefined = pipeline.manifest.sessionConfig
 			? new AstroSession(cookies, pipeline.manifest.sessionConfig, pipeline.runtimeMode)
 			: undefined,
@@ -87,9 +88,19 @@ export class RenderContext {
 		props,
 		partial = undefined,
 		actions,
+		shouldInjectCspMetaTags,
 	}: Pick<RenderContext, 'pathname' | 'pipeline' | 'request' | 'routeData' | 'clientAddress'> &
 		Partial<
-			Pick<RenderContext, 'locals' | 'middleware' | 'status' | 'props' | 'partial' | 'actions'>
+			Pick<
+				RenderContext,
+				| 'locals'
+				| 'middleware'
+				| 'status'
+				| 'props'
+				| 'partial'
+				| 'actions'
+				| 'shouldInjectCspMetaTags'
+			>
 		>): Promise<RenderContext> {
 		const pipelineMiddleware = await pipeline.getMiddleware();
 		const pipelineActions = actions ?? (await pipeline.getActions());
@@ -114,6 +125,7 @@ export class RenderContext {
 			undefined,
 			props,
 			partial,
+			shouldInjectCspMetaTags ?? !!pipeline.manifest.csp,
 		);
 	}
 	/**
@@ -461,7 +473,7 @@ export class RenderContext {
 
 		const extraStyleHashes = [];
 		const extraScriptHashes = [];
-		const shouldInjectCspMetaTags = !!manifest.csp;
+		const shouldInjectCspMetaTags = this.shouldInjectCspMetaTags;
 		const cspAlgorithm = manifest.csp?.algorithm ?? 'SHA-256';
 		if (shouldInjectCspMetaTags) {
 			for (const style of styles) {
diff --git a/packages/astro/src/vite-plugin-astro-server/route.ts b/packages/astro/src/vite-plugin-astro-server/route.ts
@@ -196,6 +196,7 @@ export async function handleRoute({
 		routeData: route,
 		clientAddress: incomingRequest.socket.remoteAddress,
 		actions,
+		shouldInjectCspMetaTags: false,
 	});
 
 	let response;
@@ -221,6 +222,7 @@ export async function handleRoute({
 				routeData: route,
 				clientAddress: incomingRequest.socket.remoteAddress,
 				actions,
+				shouldInjectCspMetaTags: false,
 			});
 			renderContext.props.error = err;
 			const _response = await renderContext.render(preloaded500Component);
@@ -297,6 +299,7 @@ export async function handleRoute({
 				request,
 				routeData: fourOhFourRoute.route,
 				clientAddress: incomingRequest.socket.remoteAddress,
+				shouldInjectCspMetaTags: false,
 			});
 			response = await renderContext.render(fourOhFourRoute.preloadedComponent);
 		}
diff --git a/packages/astro/test/fixtures/ssr-trailing-slash/package.json b/packages/astro/test/fixtures/ssr-trailing-slash/package.json
@@ -7,7 +7,7 @@
     "start": "node dist/server/entry.mjs"
   },
   "dependencies": {
-    "astro": "file:../../",
-    "@astrojs/node": "^8.0.0"
+    "astro": "workspace:*",
+    "@astrojs/node": "workspace:*"
   }
-}
+}
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'astro': patch
 +---
++
 +Fixes an issue where CSP headers were incorrectly injected in the development server.