Astro Islands prevent CSP with inline styles and scripts

[itsmatteomanf]

Astro Info

Astro                    v3.2.1
Node                     v18.17.1
System                   macOS (arm64)
Package Manager          pnpm
Output                   static
Adapter                  none
Integrations             @astrojs/svelte

Describe the Bug

Adding any Astro Island in the projects makes strict CSP support impossible, as both a style and a script tag are added to the HTML page, with inline styles forcing unsafe-inline.

I have set both build: {inlineStylesheets: "never"} and vite: { build: { assetsInlineLimit: 0 } }, but they do nothing with this.

Can that be bundled in the JS and CSS files?

What's the expected result?

Having JS and CSS bundled with the rest of the assets.

Link to Minimal Reproducible Example

https://stackblitz.com/edit/withastro-astro-issue-8719

Participation

• I am willing to submit a pull request for this issue.

[maciekbb-gyg]

I was wondering if a combination of vite: { build: { assetsInlineLimit: 0 } } and explicitly allow-listing some SHAs of helper scripts that astro injects could work?

[itsmatteomanf]

It could, but:

1. I'd seriously prefer them to be hoisted out if I could choose, and I request for scripts/styles to be hoisted.
2. I'd need to know the SHA hashes, which change with updates possibly, so it's a constant maintenance burden.
3. The CSS is a single selector, for example and there is a JS file already added for the rendering of the island (which is different from the actual island code itself), just append to that...

[Princesseuh]

Hello! We have a quite long discussion going on here on this: withastro/roadmap#377 and since this is not an issue, I'll close this issue in favour of the discussion. Thank you!

[itsmatteomanf]

@Princesseuh I looked around and didn't find that thread. In particular because nobody mentions Astro Islands directly.

This sounds like a bug to me, though. If I set build: {inlineStylesheets: "never"} I expect no stylesheets to show up in the final build (there is no similar direct from Astro setting, but the Vite one is comparable), but I do if I use Astro Islands.

It's a real blocker for using Astro in any quality website.

[matthewp]

@itsmatteomanf It's a tradeoff in favor of performance. Having the island script externally would mean that it first needs to load before it could then start loading your actual components. So there would always be a waterfall caused by doing this.

Curious to hear your thoughts in that thread, but to me using hashes or nonces are the better solution here as they allow the better performance.

[vanntile]

For future reference (and in case people still need help with this), it's very easy to write an Astro integration to output the CSP SH256 hashes. One could use the output for their nginx/host provider configuration (for a static website) or even add meta tags in the html pages with appropriate CSP values. This is my implementation

import type { AstroIntegration } from 'astro'
import { parse } from 'node-html-parser'
import { readFile } from 'node:fs/promises'
import { fileURLToPath } from 'node:url'

const createCspHash = async (s: string) => {
  const hashBuffer = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(s))
  const hashBase64 = btoa(String.fromCharCode(...new Uint8Array(hashBuffer)))

  return `'sha256-${hashBase64}'`
}

export const astroCSPHashGenerator: AstroIntegration = {
  name: 'astro-csp-hash-generator',
  hooks: {
    'astro:build:done': async ({ dir, pages, logger }) => {
      let hashes = ''
      for (let i = 0; i < pages.length; i++) {
        const filePath = fileURLToPath(`${dir.href}${pages[i].pathname}index.html`)

        try {
          const root = parse(await readFile(filePath, { encoding: 'utf-8' }))
          const scripts = root.querySelectorAll('script')

          for (let j = 0; j < scripts.length; j++) {
            const hash = await createCspHash(scripts[j].textContent)
            hashes += hash + ' '
          }
        } catch (e) {
          logger.error(`Cannot read file ${filePath}: ${e}`)
        }
      }
      logger.info(hashes)
    },
  },
}

This is zero-configuration and only looks at index.html files in the build directory, but the core functionality is there for anyone wanting to customize it.

[JoaquimDaPonte]

For future reference (and in case people still need help with this), it's very easy to write an Astro integration to output the CSP SH256 hashes. One could use the output for their nginx/host provider configuration (for a static website) or even add meta tags in the html pages with appropriate CSP values. This is my implementation

import type { AstroIntegration } from 'astro'
import { parse } from 'node-html-parser'
import { readFile } from 'node:fs/promises'
import { fileURLToPath } from 'node:url'

const createCspHash = async (s: string) => {
const hashBuffer = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(s))
const hashBase64 = btoa(String.fromCharCode(...new Uint8Array(hashBuffer)))

return 'sha256-${hashBase64}'
}

export const astroCSPHashGenerator: AstroIntegration = {
name: 'astro-csp-hash-generator',
hooks: {
'astro:build:done': async ({ dir, pages, logger }) => {
let hashes = ''
for (let i = 0; i < pages.length; i++) {
const filePath = fileURLToPath(${dir.href}${pages[i].pathname}index.html)

    try {
      const root = parse(await readFile(filePath, { encoding: 'utf-8' }))
      const scripts = root.querySelectorAll('script')

      for (let j = 0; j < scripts.length; j++) {
        const hash = await createCspHash(scripts[j].textContent)
        hashes += hash + ' '
      }
    } catch (e) {
      logger.error(`Cannot read file ${filePath}: ${e}`)
    }
  }
  logger.info(hashes)
},

},
}
This is zero-configuration and only looks at index.html files in the build directory, but the core functionality is there for anyone wanting to customize it.

Hey I found a plugin that does essentially this now: https://astro-shield.kindspells.dev/guides/subresource-integrity/static-sites/