Fund: Add 'self' to CSP script-src directive only when strictly necessary

As of today, Astro-Shield always adds the 'self' source to avoid potential problems with static imports present inside loaded scripts.

Although this is not dangerous, it is arguably less safe than just adding the hashes of the specific resources that will be loaded, and it is not always necessary (loaded scripts not always have static imports inside them, which is the only reason to add the self source).

My proposal is to detect when those import statements are present in the loaded scripts, and then add the self source only in those cases.

KindSpells Labs/astro-shield

Add 'self' to CSP script-src directive only when strictly necessary

How does funding with Polar work?

Backer

Contributor

Maintainer

KindSpells Labs/astro-shield

Add 'self' to CSP script-src directive only when strictly necessary

How does funding with Polar work?

Backer

Why does "Fund on completion" require GitHub login?

When is the invoice due for "Fund on completion"?

What happens if the issue is never completed?

Do I get any extra benefits by funding?

Do I get progress updates?

Contributor

Do I get a reward?

Is rewards guaranteed?

Maintainer

How can I get funding like this for my open source initiatives?