report-uri in csp config does not accept valid input after v2.5.2
#11905
report-uri in csp config does not accept valid input after v2.5.2Development PR
The inclusion of svelte.config.js is a breaking change since it's type-checked now and that can break projects which did type-check without errors previously
closes #11906
Also relaxes the report-uri types, fully qualified urls are also ok closes #11905
Please don't delete this checklist! Before submitting the PR, please make sure you do the following:
- It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
- This message body should clearly illustrate what problems it solves.
- Ideally, include a test that fails without this PR but passes with it.
Tests
- Run the tests with
pnpm testand lint the project withpnpm lintandpnpm check
Changesets
- If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running
pnpm changesetand following the prompts. Changesets that add features should beminorand those that fix bugs should bepatch. Please prefix changeset messages withfeat:,fix:, orchore:.
Edits
- Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.
Issue
Solved
M
MathiasWP Feb 27, 2024, 9:53 AM
Describe the bug
This is a valid uri for the report-uri directive:
https://123.ingest.sentry.io/api/456/security/?sentry_key=123mykey&sentry_environment=development&sentry_release=sha1-release-hash
But SvelteKit does not approve it's structure. This was noticed after this PR was merged: #11886
See: https://blog.sentry.io/how-sentry-captures-csp-violations/
Reproduction
https://github.com/MathiasWP/sveltekit-csp-report-uri-bug
Logs
No response
System Info
System:
OS: macOS 14.3.1
CPU: (8) arm64 Apple M1 Pro
Memory: 59.19 MB / 16.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 20.11.0 - ~/.nvm/versions/node/v20.11.0/bin/node
npm: 10.2.4 - ~/.nvm/versions/node/v20.11.0/bin/npm
pnpm: 8.12.0 - /opt/homebrew/bin/pnpm
bun: 1.0.0 - ~/.bun/bin/bun
Browsers:
Brave Browser: 122.1.63.162
Chrome: 121.0.6167.184
Safari: 17.3.1
npmPackages:
@sveltejs/adapter-auto: ^3.0.0 => 3.1.1
@sveltejs/kit: ^2.0.0 => 2.5.2
@sveltejs/vite-plugin-svelte: ^3.0.0 => 3.0.2
svelte: ^4.2.7 => 4.2.12
vite: ^5.0.3 => 5.1.4
Severity
serious, but I can work around it
Additional Information
No response
Info
Closed at Mar 6, 2024, 11:40 AM
Assignees None
Labels types / typescript
Milestone None
F
frederikhors Feb 27, 2024, 1:09 PM
Maybe related to #11906?