imported svg <style> tags not bundled causing csp hash warnings

[jpc-ae]

Astro Info

Astro                    v6.0.0-beta.19
Node                     v24.11.0
System                   Windows (x64)
Package Manager          pnpm
Output                   static
Adapter                  none
Integrations             @astrojs/sitemap
                         astro-robots
                         astro-compressor

If this issue only occurs in one browser, which browser is a problem?

all

Describe the Bug

As of Astro v6, CSP is no longer considered experimental. This mostly works great, except when an SVG file with <style></style> tags is imported as a component.

It looks like these style tags are not being hashed, and so browsers are complaining of a CSP violation. The workaround at the moment is to add the hash manually under styleDirective: { hashes: [...] }, but when svg components are imported as components, I think the expectation is that they will be included in any relevant features like this.

Note that unsafe-hashes is not required as long as the svg is using classes and <style> tags. These just need to be hashed.

What's the expected result?

No CSP errors should show when building a project with imported SVGs that have embedded style tags.

Link to Minimal Reproducible Example

https://stackblitz.com/edit/github-ysa8w4hg?file=src%2Fpages%2Findex.astro

Participation

• I am willing to submit a pull request for this issue.

[astrobot-houston]

I was able to reproduce this issue. When an SVG file with embedded <style> tags is imported as a component and CSP is enabled (security: { csp: true }), the inline <style> tags within the SVG are not hashed and are missing from the style-src CSP directive. This is because the SVG component rendering pipeline (createSvgComponent) injects SVG children as raw HTML via unescapeHTML(), completely bypassing the CSP hash collection mechanism — the styles are not part of page.styles, headElements(), or any other tracked collection.

I was able to fix this issue. The fix extracts <style> text content from the SVG during parsing (in svg.ts), passes it to createSvgComponent as a separate styles array, and hashes each style at render time when CSP is enabled. A placeholder approach is used in the CSP <meta> tag so that hashes computed during body rendering (after the <head> has been emitted) are included in the final CSP policy. All existing CSP, SVG, and content collection tests pass. View Suggested Fix

P4: important. This affects any user who enables CSP and imports SVG files with embedded <style> tags as components — a documented and supported Astro feature. The workaround (manually adding hashes to styleDirective.hashes) is brittle and defeats the purpose of automatic CSP hash management. This violates the expected behavior of the CSP feature when used with SVG components.

Full Triage Report

Issue #15838: Imported SVG <style> tags not bundled causing CSP hash warnings

Reproduction

Reproduced: Yes

When an SVG file with embedded <style> tags is imported as a component and CSP is enabled, the inline <style> tags within the SVG are not hashed. This means the browser blocks them due to CSP violations since their hashes are missing from the style-src directive.

Steps:

1. Create an SVG file with embedded <style> tags
2. Import it as a component in an Astro page
3. Enable CSP in astro.config.mjs with security: { csp: true }
4. Build the project
5. Check the CSP meta tag — the SVG's <style> hashes are missing

Build output: style-src 'self' ; — no hash for the SVG's inline <style> tag. Regular Astro component <style> tags ARE correctly hashed.

Diagnosis

Confidence: High

Root Cause: SVG inline <style> tags bypass the CSP hash tracking pipeline entirely.

The SVG component rendering pipeline (createSvgComponent in packages/astro/src/assets/runtime.ts) injects SVG children (including <style> elements) as raw HTML via unescapeHTML(children). This content is never registered with any CSP hash tracking mechanism:

1. It's not part of page.styles (CSS modules, scoped styles)
2. It's not part of pipeline.headElements()
3. It's not a CSS file in clientChunksAndAssets
4. It's not injected via settings.injectedCsp.styleHashes

Affected Files

1. packages/astro/src/assets/runtime.ts — createSvgComponent() discards the result (SSRResult) parameter and renders SVG children via unescapeHTML() without CSP awareness.
2. packages/astro/src/assets/utils/svg.ts — Parses SVG and bundles all inner HTML into a single children string without extracting style contents.
3. packages/astro/src/core/csp/common.ts — trackStyleHashes() only aware of page-level scoped styles, CSS assets, and island styles.

Fix

Six files modified in packages/astro/src/:

1. assets/utils/svg.ts — Added collectStyleContents() to extract text content of <style> elements from the ultrahtml AST during SVG parsing.
2. assets/runtime.ts — Updated createSvgComponent() to hash embedded SVG styles and register them with result._metadata.extraStyleHashes when CSP is enabled.
3. runtime/server/render/csp.ts — Added CSP_META_PLACEHOLDER and replaceCspMetaPlaceholder() for deferred CSP content injection.
4. runtime/server/render/head.ts — Changed to emit placeholder instead of final CSP content during head rendering.
5. runtime/server/render/page.ts — Added placeholder replacement after full page rendering completes.
6. content/runtime.ts — Updated __svgData type to include the new styles field.

Verification

• Before fix: style-src 'self' ; (no SVG style hash)
• After fix: style-src 'self' 'sha256-9MGwaNFkxYmI37Fz9yFFdOaIItUZLFmiU+5/GwWXWfc=';

All existing tests pass (CSP integration, CSP rendering, SVG component, content collection SVG, CSP server islands, SVG deduplication, CSP common/runtime unit tests).

This report was made by an LLM. Mistakes happen, check important info.

[matthewp]

@ematipico The AI fix looks okish to me at first glance, what do you think? https://github.com/withastro/astro/compare/flue/fix-15838?expand=1

[jpc-ae]

As the author, I would like to know if the fix also works with the experimental svgo flag, as in will the optimization affect the hash. At first glance, I can't tell whether it's collecting the string for hashing before or after optimization. I will do a quick test, but if someone who knows more could check that would be great.

[jpc-ae]

From what I can tell, the bot fix does seem to work with the svgo pipeline, so it would be nice if this could be merged (or reworked and merged if there's some other consideration I've overlooked). Double-checking hashes for my css animated svgs is a pain, and it also blocks random prefixIds from being used with svgo.

[ematipico]

@ematipico The AI fix looks okish to me at first glance, what do you think? flue?expand=1 (compare)

It's just a dirty trick to not use head propagation... I have mixed feelings. It could work, but it's not the best solution.