Responsive images violates CSP

[stephen-sorley]

Astro Info

Astro                    v6.3.1
Node                     v24.14.0
System                   Linux (x64)
Package Manager          pnpm
Output                   static
Adapter                  @astrojs/cloudflare
Integrations             @astrojs/sitemap

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

When responsive images are enabled, the fix provided for issue #16215 last week causes an attribute such as style="object-position: center" to be added to every img tag in the output HTML.

When Content Security Policy is enabled via security.csp in the Astro config, this style is blocked by current browsers (seen in Chrome 147), because Astro does not produce a hash for it, and Astro would need to set "unsafe-hashes" in the produced Content-Security-Policy meta tag anyway for the hash to have an effect.

It is not possible to work around this issue currently without manually editing the produced CSP tag in middleware, because Astro does not provide a way to include "unsafe-hashes" in the security.csp.styleDirective section of the configuration settings, as it is a CSP level 3 feature.

What's the expected result?

Enabling both responsive images and astro's CSP support should result in a site with no CSP issues, as seen in Chrome Dev Tools when the page is loaded in preview, or in production.

Preferably, Astro should not be using inline style attributes at all, as allowing them is considered unsafe - see MDN. Refactoring the fix from #16215 to bundle the necessary CSS in some other way (such as a separate <style> tag with an auto-generated hash) would be best.

If that is not possible, Astro should automatically add "unsafe-hashes" and a hash generated from the attribute content to either style-src-attr (preferred, but currently blocked by #16233) or style-src.

Link to Minimal Reproducible Example

https://github.com/stephen-sorley/astro-responsive-images-csp

Participation

• I am willing to submit a pull request for this issue.

[stephen-sorley]

whoops, this isn't fixed, reopening - issue was erroneously marked completed by github automation when I committed a temporary workaround for this bug in my own project.

[matthewp]

Triage bot, do your thing.

[jpc-ae]

Triage bot try again and see if PR #16236 can be refactored for CSP compliance.

[astrobot-houston]

• Reproduced: Yes
• Exploration: Yes — View branch
• Unit Test: Yes — test/units/assets/getImage.test.ts (updated 2 tests + added CSP compliance test), test/units/assets/utils.test.ts (added generateImagePositionCSS tests)
• Priority: P4: important. This affects any user combining two documented features (image.layout + security.csp). The inline style="object-position: center" is added to every responsive image by default, so all users with both features enabled will see CSP violations in the browser console, and the object-position styling will be silently blocked.

PR #16236 (fixing #16215) introduced inline style="object-position: center" attributes on every responsive <img> tag. This directly contradicts the CSP-safe architecture established by PR #15407, which explicitly moved responsive image styles to data attributes + hashed <style> tags to avoid CSP violations. The inline style attribute is blocked by the style-src 'self' directive that Astro's own CSP system generates, since inline style attributes require 'unsafe-hashes' (a CSP Level 3 feature Astro does not support).

I found a potential fix for this issue. The fix removes the inline style injection from getImage() in internal.ts and instead delivers the object-position CSS via a new virtual CSS module (virtual:astro:image-position-styles.css). This module is processed by Vite, injected as a <style> tag in the <head>, and automatically hashed by Astro's CSP system — making it fully CSP-compliant. The data-astro-image-pos data attribute continues to be set for CSS targeting.

Full Triage Report

Issue #16656: Responsive images violates CSP

Original Issue

Title: Responsive images violates CSP

Reporter: stephen-sorley

Description: When responsive images are enabled (image.layout: 'constrained'), the fix provided for issue #16215 in PR #16236 causes an inline style="object-position: center" attribute to be added to every <img> tag in the output HTML. When Content Security Policy is enabled via security.csp in the Astro config, this inline style is blocked by browsers (seen in Chrome 147) because Astro does not produce a hash for it, and would need to set 'unsafe-hashes' in the CSP meta tag for any hash to have effect.

Expected Result: Enabling both responsive images and Astro's CSP support should result in a site with no CSP issues. Preferably, Astro should not be using inline style attributes at all. The reporter suggests refactoring the fix from PR #16236 to use a <style> tag with an auto-generated hash instead of inline styles. If that's not possible, Astro should automatically add 'unsafe-hashes' and a hash generated from the attribute content to style-src-attr or style-src.

Reproduction URL: https://github.com/stephen-sorley/astro-responsive-images-csp

Environment

• Astro v6.3.2 (tested against workspace:* / latest monorepo)
• Node v24.15.0
• pnpm workspace
• Output: static

Reproduction Result: ✅ REPRODUCED

The built dist/index.html contains an <img> with style="object-position: center" while the CSP meta tag specifies style-src 'self' ; — no hash, no unsafe-hashes. Browsers block the inline style.

Baseline Verification

When responsive images are disabled (no image.layout), the output has no inline style and no CSP issues, confirming the problem is specifically from the responsive images + CSP interaction.

Root Cause

PR #16236 (commit c6b068e905) added inline style attributes for object-position on responsive <img> tags. This was a regression that undid the explicit CSP-safe architecture from PR #15407, which had deliberately moved responsive image styles to data attributes + hashed <style> tags.

The Image.astro component defaults position to 'center' for all responsive images, so every responsive image gets style="object-position: center" — even though center is the CSS default for object-position.

Key files:

File	Role
packages/astro/src/assets/internal.ts (lines 172-196)	Where data-astro-image-pos attribute is set (good) AND inline style is added (bad)
packages/astro/components/Image.astro (line 32)	Where position defaults to 'center'
packages/astro/src/assets/utils/generateImageStylesCSS.ts	CSS generation for position via data attributes
packages/astro/src/assets/vite-plugin-assets.ts	Controls whether responsive styles CSS is injected

Verdict: bug (high confidence)

This is a regression. PR #15407 explicitly designed the system to avoid inline styles for CSP, with code comments like "Set data attributes for fit and position for CSP-compliant styling." PR #16236 re-introduced inline styles without awareness of the CSP implications — no PR discussion mentions CSP.

Fix: ✅ SUCCESSFUL

Changes:

1. internal.ts — Removed the inline style injection block (lines 177-196)
2. generateImageStylesCSS.ts — Added generateImagePositionCSS() function
3. consts.ts — Added virtual module IDs for position-only styles
4. vite-plugin-assets.ts — Added astro:image-position-styles Vite plugin that serves position CSS when responsiveStyles: false
5. Tests — Updated 2 existing tests, added 4 new tests (1 CSP compliance test + 3 for generateImagePositionCSS)

Verified: Built HTML now has a hashed <style> in <head> with [data-astro-image-pos=center]{object-position:center}, the hash is in the CSP directive, and no inline style attribute on <img>. All 36 getImage tests, 43 utils tests, and 51 core-image-layout tests pass.

Limitations: For per-image custom position values (e.g., <Image position="left top">), the virtual module only generates CSS for the config-level default. Users needing per-image overrides can use responsiveStyles: true or provide their own CSS targeting data-astro-image-pos.

This report was made by an LLM. The analysis may be wrong, and the potential fix might not work, but is intended as a starting point for exploring the issue.

[jpc-ae]

Note that there are currently 2 workarounds I can think of, though both are, lets say, less than ideal.

1. Add an inline integration that hooks into and removes inline styles from astro:build:setup. (The worst option.)

2. Manually do a find and replace in the build output folder to remove the offending style attributes.

I do wonder though if the complexity of adding object position support is worth it as opposed to just letting authors specify it in their own stylesheets when needed. Otherwise, given that floating unit values can be provided, something like what astrobot is suggesting will be needed where the value is passed to a style generator that can be injected into the head.

---

Edit: removed unsafe-hashes workaround since I forgot it doesn't work with style attributes, only elements. you would need unsafe-inline instead which browsers ignore if there are other hashes available. I do wonder if it should be an option to enable unsafe-inline as an alternative mode for styleDirective at least