Hi all,
Our app is built with Sveltekit and being in SSR mode we configured it to generate and add a nonce value to all resources that we are loading, so that we can then set our content security policies (csp) for scripts to “strict-dynamic” and forget about it. The csp values are managed by Sveltekit so we don’t need to generate the nonce ourselves (so no csp is specified in netlify.toml or _headers files).
What happens though (I think) is that the netlify-rum script gets injected after so the policies block the script.
Do you know a way that we could control the injection of the rum script (so that we could add the nonce to it)? I know Netlify offers a csp plugin on edge functions, but we would like to avoid changing our setup if possible.
Thank you in advance for any suggestion or help!
The script is injected by us dynamically later and it comes from our servers, do it doesn’t look like you can do much to control that. Is it not possible to modify the CSP for this one script?
Hi @hrishikesh, thanks for taking the time to answer!
The problem is that I cannot whitelist the script in my csp if I use the keyword “strict-dynamic”. With this (kinda new) keyword, all keywords such as “self”, “https:”, etc. and all hosts specified (such as the domain hosting the rum script) are ignored. I think this is a similar implementation of what Netlify does with its csp plugin: it uses “strict-dynamic” and then add a nonce attribute to all injected scripts.
For what I understand from your answer my options would be:
- do not use Sveltekit to manage csp and use Netlify plugin instead;
- remove the “strict-dynamic” keyword so I can more explicitly list items in my csp whitelist (not ideal);
- disable the rum script;
I think for now I will go with the last option and instead add a different analytics library (e.g Sentry), for which I have more control over scripts injections.
Yeah, based on your description, it doesn’t look like you can stick using RUM Analytics without switching to explicit CSP.