This is the second post I’ve seen praising Datastar in the last 24 hours, and once again no mention of the requirement to punch a gaping hole in one’s Content-Security-Policy.
If this is the framework of the future, cyber criminals are going to have a bright future!
That's the nature of anything that does this kind of work. React, Svelte, Solid. Alpine has a CSP version but it does so little that I recommend you just accept being a Web1 MPA basic site.
I have ideas around ways around this but it's a per language template middleware.
Svelte only requires a CSP hole in its default config as a standalone library; SvelteKit does proper CSP by default, and if you're not using SvelteKit you can build CSP handling into whatever you are using instead. I assume the others are the same way.
Could you avoid eval by having a CSP mode that forces reactive expressions to only allow functions users have registered with datastar in a lookup table?
Please don't cargo cult CSP without understanding it.
unsafe-eval constrained to function constructors without inline scripts is only a concern if you are rendering user submitted HTML (most common case I see is markdown). Regardless of your CSP configuration you should be sanitizing that user submitted HTML anyway.
sudodevnull|10 months ago
I have ideas around ways around this but it's a per language template middleware.
jazoom|10 months ago
I also didn't have a problem with CSP and HTMX.
Nor with SvelteKit.
I'm not sure why you think these are all equivalent to DataStar's hard requirement on unsafe-eval.
FYI, this is the reason I didn't try out DataStar.
pie_flavor|10 months ago
tauroid|10 months ago
dpc_01234|10 months ago
andersmurphy|10 months ago
unsafe-eval constrained to function constructors without inline scripts is only a concern if you are rendering user submitted HTML (most common case I see is markdown). Regardless of your CSP configuration you should be sanitizing that user submitted HTML anyway.
max_|10 months ago
sudodevnull|10 months ago
j13n|10 months ago
https://news.ycombinator.com/item?id=43650921
nchmy|10 months ago