CSP: Missing support for latest style and script aka CSP level 3

[L1ghtn1ng]

Astro Info

Astro                    v6.1.3
Vite                     v7.3.1
Node                     v22.22.1
System                   Linux (x64)
Package Manager          npm
Output                   static
Adapter                  @astrojs/cloudflare (v13.1.7)
Integrations             @astrojs/starlight (v0.38.2)

If this issue only occurs in one browser, which browser is a problem?

All

Describe the Bug

In astro with the csp enabled, you cannot set script-src-elem and style-src-attr primitives which are the newer endpoints to use so you get csp errors in the browser console which you can see for example on flasgo. There could be more than one bug here, being due to astro not handling these primitives and possibly starlight doing things that makes it also fail the csp, but if there is a bug with starlight its being clouded by astro not having/generating those primitives I mentioned before.

What's the expected result?

Be able to put them in your astro config file and not make the build error out and or auto generate the primitives like is done for script-src and style-src

Link to Minimal Reproducible Example

https://stackblitz.com/edit/github-czqujyie?file=astro.config.mjs

Participation

• I am willing to submit a pull request for this issue.

[astrobot-houston]

I was able to reproduce this issue. Astro's CSP implementation only emits script-src and style-src (CSP Level 2) directives and does not support the more granular CSP Level 3 directives (script-src-elem, style-src-elem, script-src-attr, style-src-attr). The ALLOWED_DIRECTIVES validation list in packages/astro/src/core/csp/config.ts:43-65 explicitly excludes these directives, and the renderCspContent() function in packages/astro/src/runtime/server/render/csp.ts:39-40 only generates script-src and style-src. This means users cannot add these Level 3 directives via the directives config option (the build will reject them), nor does Astro auto-generate them with the appropriate hashes.

I was unable to find a fix for this issue. Per the CSP specification, when script-src-elem/style-src-attr are not present in a policy, browsers fall back to script-src/style-src respectively, so Astro's current output is valid on its own. However, the issue arises when users set Level 3 directives externally (e.g., via HTTP headers from a CDN like Cloudflare), because those override the fallback from script-src/style-src and Astro has no mechanism to populate them with the necessary hashes. A fix would likely involve: (1) adding script-src-elem, style-src-elem, script-src-attr, and style-src-attr to the ALLOWED_DIRECTIVES list so users can manually specify them, and/or (2) optionally mirroring the auto-generated hashes from script-src/style-src into their Level 3 counterparts. The core logic lives in packages/astro/src/core/csp/config.ts (directive validation) and packages/astro/src/runtime/server/render/csp.ts (CSP string assembly).

P2: nice to have. Astro's current CSP Level 2 output (script-src/style-src) is spec-compliant and works correctly when no Level 3 directives are set elsewhere. This primarily affects users who need to set more granular CSP Level 3 directives via external mechanisms (CDN headers, server config) alongside Astro's built-in CSP — a relatively niche scenario. For most users, the existing script-src/style-src directives provide adequate coverage.

Full Triage Report

Reproduction

Confirmed: CSP Level 3 directives are not supported in Astro's CSP implementation.

Steps to Reproduce

1. Enable CSP in Astro config with security: { csp: true }
2. Attempt to add a CSP Level 3 directive like script-src-elem 'self' to the directives array
3. The build fails validation because script-src-elem is not in the allowed directives list

Verification

• The ALLOWED_DIRECTIVES constant in packages/astro/src/core/csp/config.ts:43-65 does not include any of: script-src-elem, style-src-elem, script-src-attr, style-src-attr
• The allowedDirectivesSchema Zod validator at line 69-75 rejects any directive not starting with one of the allowed prefixes
• The renderCspContent() function at packages/astro/src/runtime/server/render/csp.ts:39-40 hardcodes only script-src and style-src in its output

Diagnosis

Root Cause: By design, Astro's CSP feature was implemented using CSP Level 2 directives only. The script-src and style-src directives are auto-generated with hashes for all bundled scripts and styles. CSP Level 3 introduced more granular directives that override these fallbacks:

• script-src-elem — controls <script> elements (overrides script-src fallback)
• script-src-attr — controls inline event handlers (overrides script-src fallback)
• style-src-elem — controls <style> elements and <link> stylesheets (overrides style-src fallback)
• style-src-attr — controls inline style attributes (overrides style-src fallback)

When a user sets any of these Level 3 directives externally (e.g., via Cloudflare HTTP headers), the browser stops falling back to script-src/style-src for that specific category, and since Astro doesn't populate the Level 3 directives with hashes, the content is blocked.

Key files:

• packages/astro/src/core/csp/config.ts — Directive validation and allowed list
• packages/astro/src/runtime/server/render/csp.ts — CSP string assembly
• packages/astro/src/types/public/config.ts:714-1052 — CSP config type definitions

Confidence: High — the code clearly shows no Level 3 directive support.

Classification

This is a feature request to add CSP Level 3 directive support, not a bug in existing behavior. Astro's current CSP Level 2 output is spec-compliant.

This report was made by an LLM. Mistakes happen, check important info.

[amorey]

Agreed, it would be very helpful to support these features. Currently Astro's CSP support is incompatible with Shiki but I believe that allowing users to set style-src-attr themselves would allow them to solve the problem.

[matthewp]

Astrobot, why don't you try applying the fix described above.

[astrobot-houston]

• Reproduced: Yes
• Exploration: Yes — View branch
• Unit Test: Yes — test/units/config/config-validate.test.ts and test/units/csp/rendering.test.ts
• Priority: P2: nice to have. Astro's existing CSP Level 2 output (script-src/style-src) is spec-compliant and works for most users. This primarily affects users who need granular CSP Level 3 directives alongside external CSP policies (e.g., CDN headers from Cloudflare) or who need style-src-attr for Shiki compatibility.

The ALLOWED_DIRECTIVES list in packages/astro/src/core/csp/config.ts does not include the four CSP Level 3 directives (script-src-elem, script-src-attr, style-src-elem, style-src-attr). Additionally, the startsWith('script-src') check in the validation error branch incorrectly catches script-src-elem (because "script-src-elem".startsWith("script-src") is true), giving users a misleading error message. Even if directives could pass validation, renderCspContent() in packages/astro/src/runtime/server/render/csp.ts only generates script-src and style-src with auto-generated hashes — Level 3 directives would not receive the hashes.

I found a potential fix for this issue. The fix adds the four Level 3 directives to ALLOWED_DIRECTIVES, fixes the startsWith collision to use exact directive name matching, and mirrors auto-generated script/style hashes into any Level 3 directives the user configures. All existing tests pass with no regressions.

Try this fix

You can test this fix right now without waiting for a release:

npm i https://pkg.pr.new/astro@7f797b7

If this fixes your issue, please leave a comment letting us know (e.g. "confirmed, this fixes it"). We'll then open a pull request to get this merged.

Full Triage Report

Reproduction

Confirmed: CSP Level 3 directives are not supported in Astro's CSP implementation.

Steps to Reproduce

1. Enable CSP in Astro config with security: { csp: true }
2. Attempt to add a CSP Level 3 directive like script-src-elem 'self' to the directives array
3. The build fails validation because script-src-elem is not in the allowed directives list

Actual Error

[config] Astro found issue(s) with your configuration:

! security.csp: Did not match union.
  > Expected type boolean | { Directives script-src and style-src are not allowed in security.csp.directives. Please use security.csp.scriptDirective and security.csp.styleDirective instead. }
  > Received { "directives": [ "script-src-elem 'self'", "style-src-attr 'unsafe-inline'" ] }

Diagnosis

Root Cause (two parts):

1. Config validation rejects Level 3 directives — The ALLOWED_DIRECTIVES array in packages/astro/src/core/csp/config.ts (lines 43–65) does not include script-src-elem, script-src-attr, style-src-elem, or style-src-attr. The startsWith('script-src') check in the error branch (line 76) also incorrectly catches Level 3 directives like script-src-elem because "script-src-elem".startsWith("script-src") is true, showing a misleading error message.

2. No hash mirroring for Level 3 directives — renderCspContent() in packages/astro/src/runtime/server/render/csp.ts (lines 38–40) only assembles script-src and style-src with auto-generated hashes. User-provided directives are passed through as-is without hash augmentation, so even if Level 3 directives could pass validation, they would not receive the necessary hashes.

Confidence: High

Fix

Changes Made

packages/astro/src/core/csp/config.ts:

• Added script-src-attr, script-src-elem, style-src-attr, style-src-elem to the ALLOWED_DIRECTIVES array
• Fixed validation error branch to use exact directive name matching (directiveName === 'script-src') instead of startsWith

packages/astro/src/runtime/server/render/csp.ts:

• When processing user-provided directives, Level 3 script directives (script-src-elem, script-src-attr) now get auto-generated script hashes appended, and Level 3 style directives (style-src-elem, style-src-attr) get auto-generated style hashes appended

Unit Tests Added

• test/units/config/config-validate.test.ts — Verifies all four Level 3 directives pass config validation
• test/units/csp/rendering.test.ts — Three tests: script hash mirroring to script-src-elem, style hash mirroring to style-src-elem/style-src-attr, and edge case with no hashes

All 4 new tests pass. All existing CSP tests pass with no regressions.

Verification

• Build succeeds with Level 3 directives in config (previously failed)
• CSP meta tag includes script-src-elem 'self' 'sha256-...' with all auto-generated hashes
• csp: true and other existing configurations continue to work correctly
• script-src and style-src in directives still produce the correct redirect error message

This report was made by an LLM. The analysis may be wrong, and the potential fix might not work, but is intended as a starting point for exploring the issue.

[L1ghtn1ng]

confirmed, this fixes it