Skip to content

fix: relax CSP to allow SvelteKit bootstrap and Cloudflare edge scripts#20

Merged
tbjers merged 1 commit into
mainfrom
fix/csp-inline-scripts-and-styles
Jun 26, 2026
Merged

fix: relax CSP to allow SvelteKit bootstrap and Cloudflare edge scripts#20
tbjers merged 1 commit into
mainfrom
fix/csp-inline-scripts-and-styles

Conversation

@tbjers

@tbjers tbjers commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds explicit script-src and style-src directives to the _headers CSP, replacing the over-broad default-src 'self' fallback that was blocking the dashboard from loading
  • 'unsafe-inline' in script-src covers SvelteKit's inline bootstrap script and any scripts Cloudflare injects at the edge (Web Analytics, Rocket Loader, etc.) — hash mode is not viable here because once a hash is present in script-src, browsers ignore 'unsafe-inline', and edge-injected scripts can't be hashed at build time
  • https://static.cloudflareinsights.com added to script-src and https://cloudflareinsights.com to connect-src for the Web Analytics beacon
  • 'unsafe-inline' in style-src covers the style="display:contents" attribute SvelteKit emits on its body wrapper div
  • All other security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, frame-ancestors, base-uri, form-action) are unchanged

The dashboard is gated by Cloudflare Access, so CSP is defence-in-depth rather than the primary XSS control.

Test plan

  • Deploy to Cloudflare and confirm the dashboard loads without CSP errors in the browser console
  • Confirm Cloudflare Web Analytics beacon fires (network tab: request to cloudflareinsights.com)
  • Confirm X-Frame-Options: DENY and other security headers are still present in the response

🤖 Generated with Claude Code

The strict default-src 'self' policy blocked three categories of content
that cannot be handled with build-time hashes:

- SvelteKit's inline bootstrap script in index.html
- Scripts injected by Cloudflare at the edge (Web Analytics, etc.) whose
  content is unknown at build time — once any hash appears in script-src,
  browsers ignore 'unsafe-inline', so hash mode is not a viable escape hatch
- The Cloudflare Insights beacon loaded from static.cloudflareinsights.com
- The style="display:contents" attribute SvelteKit emits on its body wrapper

Adds explicit script-src and style-src directives with 'unsafe-inline' and
the Cloudflare Insights origin/connect-src. The dashboard is already gated
by Cloudflare Access, so CSP here is defence-in-depth rather than the
primary XSS control.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tbjers tbjers merged commit 7449037 into main Jun 26, 2026
5 checks passed
@tbjers tbjers deleted the fix/csp-inline-scripts-and-styles branch June 26, 2026 02:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant