CSP: Improve validation message for `security.csp.directives` when `script-src` or `style-src` are used

[HannesOberreiter]

Astro Info

Astro                    v6.3.1
Vite                     v7.3.3
Node                     v22.21.1
System                   macOS (arm64)
Package Manager          npm
Output                   static
Adapter                  none

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

When script-src or style-src are added to security.csp.directives, Astro shows a generic union validation warning:

! security.csp: Did not match union.                                                                                                                                           
> Expected type boolean | { directives.1; directives.3 }                                                                                                                     
> Received { "directives": [ "default-src 'self'", "script-src 'self' https://example.com", "style-src 'self' https://example.com" ] }                                       

I understand that script-src and style-src intentionally do not belong in security.csp.directives, because Astro manages these via security.csp.scriptDirective and security.csp.styleDirective.

The issue is only that the current warning is difficult to understand. It looks like a type/schema problem and does not explain which directive is invalid or where it should be configured instead.

Minimal reproduction

import { defineConfig } from 'astro/config';                                                                                                                                   
                                                                                                                                                                                  
export default defineConfig({                                                                                                                                                  
     security: {                                                                                                                                                                  
       csp: {                                                                                                                                                                     
         directives: [                                                                                                                                                            
           "default-src 'self'",                                                                                                                                                  
           "script-src 'self' https://example.com",                                                                                                                               
           "style-src 'self' https://example.com",                                                                                                                                
         ],                                                                                                                                                                       
       },                                                                                                                                                                         
     },                                                                                                                                                                           
});                                                                                                                                                                  

What's the expected result?

Astro should explain what directives are allowed in the error message.

Maybe one could change and bubble up the zod error message:

if (!ALLOWED_DIRECTIVES.some((allowed) => value.startsWith(allowed))) {
  ctx.addIssue({
    code: 'custom', 
    message: `Unsupported CSP directive. Allowed directives: ${ALLOWED_DIRECTIVES.join(', ')}`,                                                                              
  });                                                                                                                                                                        
}

Link to Minimal Reproducible Example

--

Participation

• I am willing to submit a pull request for this issue.

[astrobot-houston]

• Reproduced: Yes
• Exploration: Yes — View branch
• Priority: P2: Nice to Have. This is a cosmetic DX issue — the validation correctly rejects script-src/style-src, but the error message is confusing. Users who encounter this can resolve it by reading the docs, but the misleading message wastes debugging time.

The root cause is two-fold: the z.custom() validator in packages/astro/src/core/csp/config.ts (line 69) returns a bare boolean with no custom error message, so Zod produces the default "Invalid input". Then, the invalid_union handler in packages/astro/src/core/errors/zod-error-map.ts (line 55–87) doesn't surface custom code errors' messages — it only looks at expected/values properties, falling through to show bare array indices like directives.1 instead of anything helpful.

I found a potential fix for this issue. The fix adds a descriptive message to the z.custom() validator explaining that script-src/style-src are managed by Astro and pointing users to scriptDirective/styleDirective, and also adds a general-purpose improvement to the error map so that custom validation messages inside union branches are surfaced instead of being silently dropped.

Full Triage Report

Issue #16663: CSP: Improve validation message for security.csp.directives when script-src or style-src are used

Original Issue

Title: CSP: Improve validation message for security.csp.directives when script-src or style-src are used
Author: HannesOberreiter
URL: #16663
State: Open
Created: 2026-05-08T08:04:17Z

Issue Description

When script-src or style-src are added to security.csp.directives, Astro shows a generic union validation warning:

! security.csp: Did not match union.
  > Expected type boolean | { directives.1; directives.3 }
  > Received { "directives": [ "default-src 'self'", "script-src 'self' https://example.com", "style-src 'self' https://example.com" ] }

The reporter understands that script-src and style-src intentionally do not belong in security.csp.directives, because Astro manages these via security.csp.scriptDirective and security.csp.styleDirective. The problem is that the current warning is difficult to understand.

Expected Result

Astro should explain what directives are allowed in the error message, or specifically call out that script-src and style-src should be configured via scriptDirective and styleDirective.

Environment

• Astro: v6.3.1
• Node: v22.x
• Output: static
• Adapter: none

Reproduction Result: ✅ REPRODUCED

Steps to Reproduce

1. Create a minimal Astro project
2. Set astro.config.mjs with security.csp.directives containing script-src and/or style-src entries
3. Run astro build (or astro dev)
4. Observe the validation error message

Root Cause

The poor error message is caused by two cooperating issues:

1. packages/astro/src/core/csp/config.ts (line 69–76): The allowedDirectivesSchema uses z.custom() returning a bare boolean — when validation fails, Zod produces the default "Invalid input" message with no context about what went wrong.

2. packages/astro/src/core/errors/zod-error-map.ts (lines 55–87): The invalid_union handler only checks for expected/values properties on sub-errors. For custom code errors (which have neither), it falls through to else if (relativePath) and pushes bare array index paths like directives.1, producing the confusing Expected type boolean | { directives.1; directives.2 } output.

Fix

What Changed

File 1: packages/astro/src/core/csp/config.ts — Added a descriptive message option to z.custom() explaining that script-src and style-src are managed by Astro, pointing users to scriptDirective/styleDirective, and listing all allowed directives.

File 2: packages/astro/src/core/errors/zod-error-map.ts — Added a new check in the invalid_union handler that surfaces custom validation error messages with non-default content. This is a general-purpose improvement benefiting any future z.custom() validators used inside z.union().

Before vs After

Before:

! security.csp: Did not match union.
  > Expected type boolean | { directives.1; directives.2 }
  > Received { "directives": [ "default-src 'self'", "script-src 'self' https://example.com", "style-src 'self' https://example.com" ] }

After:

! security.csp: Did not match union.
  > directives.1: Unsupported CSP directive. `script-src` and `style-src` are managed by Astro automatically. Use `security.csp.scriptDirective` and `security.csp.styleDirective` to configure them. Other allowed directives: base-uri, child-src, connect-src, default-src, ...
  > directives.2: Unsupported CSP directive. `script-src` and `style-src` are managed by Astro automatically. Use `security.csp.scriptDirective` and `security.csp.styleDirective` to configure them. Other allowed directives: base-uri, child-src, connect-src, default-src, ...

Verification Results

• ✅ Original reproduction fixed
• ✅ Valid directives still work
• ✅ CSP as boolean still works
• ✅ Unknown directives show the allowed list
• ✅ All existing tests pass (config-validate: 39, zod-error-map: 14, csp unit: 27, csp integration: 6)
• ✅ Formatting and linting clean

Git Diff

diff --git a/packages/astro/src/core/csp/config.ts b/packages/astro/src/core/csp/config.ts
index e559dc4852..f11ed5f925 100644
--- a/packages/astro/src/core/csp/config.ts
+++ b/packages/astro/src/core/csp/config.ts
@@ -66,11 +66,16 @@ const ALLOWED_DIRECTIVES = [
 type AllowedDirectives = (typeof ALLOWED_DIRECTIVES)[number];
 export type CspDirective = `${AllowedDirectives}${string | undefined}`;
 
-export const allowedDirectivesSchema = z.custom<CspDirective>((value) => {
-	if (typeof value !== 'string') {
-		return false;
-	}
-	return ALLOWED_DIRECTIVES.some((allowedValue) => {
-		return value.startsWith(allowedValue);
-	});
-});
+export const allowedDirectivesSchema = z.custom<CspDirective>(
+	(value) => {
+		if (typeof value !== 'string') {
+			return false;
+		}
+		return ALLOWED_DIRECTIVES.some((allowedValue) => {
+			return value.startsWith(allowedValue);
+		});
+	},
+	{
+		message: `Unsupported CSP directive. \`script-src\` and \`style-src\` are managed by Astro automatically. Use \`security.csp.scriptDirective\` and \`security.csp.styleDirective\` to configure them. Other allowed directives: ${ALLOWED_DIRECTIVES.join(', ')}.`,
+	},
+);
diff --git a/packages/astro/src/core/errors/zod-error-map.ts b/packages/astro/src/core/errors/zod-error-map.ts
index 6e1af1ecb2..d600bd1140 100644
--- a/packages/astro/src/core/errors/zod-error-map.ts
+++ b/packages/astro/src/core/errors/zod-error-map.ts
@@ -56,6 +56,23 @@ export const errorMap: $ZodErrorMap = (issue) => {
 			}
 		}
 
+		if (details.length === 0) {
+			// Check if any union branch has custom validation errors with descriptive messages.
+			// If so, surface those messages directly instead of showing generic shape info.
+			const customMessages: string[] = [];
+			for (const unionErrors of issue.errors) {
+				for (const _issue of unionErrors) {
+					if (_issue.code === 'custom' && _issue.message && _issue.message !== 'Invalid input') {
+						const issuePath = flattenErrorPath(_issue.path);
+						customMessages.push(`> ${prefix(issuePath, _issue.message)}`);
+					}
+				}
+			}
+			if (customMessages.length > 0) {
+				details.push(...customMessages);
+			}
+		}
+
 		if (details.length === 0) {
 			const expectedShapes: string[] = [];
 			for (const unionErrors of issue.errors) {

This report was made by an LLM. The analysis may be wrong, and the potential fix might not work, but is intended as a starting point for exploring the issue.

[ematipico]

Wanna send a PR @HannesOberreiter ?

[HannesOberreiter]

@ematipico the Astro repository is too resource-intensive for my laptop, so I’m unable to contribute directly.

The astrobot solutions look solid to me. However, the zod-error-map change seems a bit off, as the same condition is checked twice in the code snipped shown and might have global side effects. It likely requires deeper knowledge of the codebase to address properly.

[farrosfr]

Hi! I'd like to work on this. Is it still open for me to take a crack at? If so, I’ll start by setting up a reproduction and looking into the validation logic in packages/astro/src/core/csp/config.ts. Thanks!

[matthewp]

Yes, anyone can contribute, no need to ask permission.