fix: support WebSocket protocol and Trusted Types Eval for CSP sources#15938
Merged
Conversation
🦋 Changeset detectedLatest commit: 44faa4e The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
ThaUnknown
changed the title
Contributor
Author
|
@Rich-Harris forgive me for the ping however I went tru the entire git history of kit, and you're pretty much the only person that ever dealt with CSP in the kit codebase I asked other maintainers in hopes of not bothering you, but unfortunately many don't seem familiar with CSP, so you're the only person I can ask could I get a review? |
|
hey thanks for this! looks great, nice little fix. |
Rich-Harris
reviewed
Jun 16, 2026
Contributor
Author
|
@Rich-Harris I think this PR is wrong, the CSP typedefinitions are fundamentally wrong, and I wish we could discuss it because this is merged |
Member
|
what? |
Contributor
Author
if you look at the spec I linked in the original PR description, it's a LOT more loose than the current type defs, TLDR hardcoding http, https, ws, wss etc ISNT a good idea, as the CSP schemes define support for custom protocols, for example my.app-proto://example.com/path/file.js additionally, there are other keyword sources which this PR doesn't cover, because I wasn't sure if sveltekit itself supports them, such as 'unsafe-webtransport-hashes', as i've never used these myself, and I unfortunately haven't had time to verify them so i kinda wanted to discuss, "how to correctly solve this for sveltekit" |
Contributor
Author
|
forgive me, i did not have time to get around to write a proper dynamic TS type declaration for this, as i've been a bit pre-occupied with other contributions elsewhere, so this is an "absolutely minimal" but technically correct PR, but it doesn't solve the underlying problem these type defs have so I just updated the types to match "what's currently there", but the problem is IMHO what's currently there isn't correct |
Member
|
Added |
Contributor
Author
|
sure, that'll cover it, it's loose, but if its good enough for you its good enough for me, and covers the expected use cases well enough, clean and simple, i fixed the string types, as doing |
Member
|
ah yep, good catch — thanks |
Merged
Rich-Harris
pushed a commit
that referenced
this pull request
Jun 18, 2026
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated. # Releases ## @sveltejs/enhanced-img@0.11.0 ### Minor Changes - feat: export `EnhancedImgAttributes` type ([#15649](#15649)) ### Patch Changes - fix: exclude imports with `?` character from transformation ([#15617](#15617)) ## @sveltejs/kit@2.66.0 ### Minor Changes - feat: precompress prerendered `.md` and `.mdx` files ([#15893](#15893)) - feat: warn the user when they forget to make boolean inputs optional in their form schemas ([#15804](#15804)) ### Patch Changes - fix: blur active element before component update during navigation so that blur/focusout handlers fire while old component data is still valid ([#15452](#15452)) - fix: ensure `base` is available from `$service-worker` during development ([#15882](#15882)) - fix: use correct relative asset paths when rendering an error page for a missing `__data.json` request ([#15884](#15884)) - fix: preserve active `for await` consumers across `query.live` reconnects ([#16022](#16022)) - fix: settle `query.live` reconnect promise on all exit paths, preventing `invalidateAll()` from deadlocking when a live query is offline or interrupted ([#16022](#16022)) - fix: preserve last value when a `query.live` stream completes without yielding on reconnect ([#16022](#16022)) - fix: remove `types: ['node']` from generated tsconfig to avoid errors when `@types/node` is not installed ([#15709](#15709)) - fix: prefer pages over endpoints when prerendering ([#16076](#16076)) - fix: restore snapshots after afterNavigate callbacks ([#16066](#16066)) - fix: support `ws:`/`wss:` and `trusted-types-eval` for CSP sources ([#15938](#15938)) - fix: omit empty `file` inputs from remote form data ([#15898](#15898)) - fix: fail early if a route with `+page` and `+server` is marked as prerenderable ([#16075](#16075)) - fix: wait a tick before resetting forms ([#15805](#15805)) - fix: `preflight` schemas apply correctly when chained before `for` ([#15863](#15863)) - fix: blank page in SPA mode when root layout `load()` throws ([#15798](#15798)) - fix: pass all unknown options from the `sveltekit` Vite plugin through to `vite-plugin-svelte` ([#16010](#16010)) ## @sveltejs/adapter-node@5.5.5 ### Patch Changes - fix: bundle entrypoints alongside app code ([#16069](#16069)) - fix: log the actual adapter-node listening address ([#15899](#15899)) - Updated dependencies [[`63f1b0b`](63f1b0b), [`1dbff3f`](1dbff3f), [`961ba01`](961ba01), [`d2e108c`](d2e108c), [`d2e108c`](d2e108c), [`d2e108c`](d2e108c), [`860b3c7`](860b3c7), [`f8c842c`](f8c842c), [`d3aa5fe`](d3aa5fe), [`0dd7659`](0dd7659), [`03e9f66`](03e9f66), [`57b7b7b`](57b7b7b), [`4eabadc`](4eabadc), [`6fbf2b6`](6fbf2b6), [`276744d`](276744d), [`8740132`](8740132), [`f430a68`](f430a68), [`1c7a8dc`](1c7a8dc)]: - @sveltejs/kit@2.66.0 ## @sveltejs/adapter-vercel@6.3.4 ### Patch Changes - fix: prevent missing immutable assets from being cached as 404s for a year ([#16077](#16077)) - Updated dependencies [[`63f1b0b`](63f1b0b), [`1dbff3f`](1dbff3f), [`961ba01`](961ba01), [`d2e108c`](d2e108c), [`d2e108c`](d2e108c), [`d2e108c`](d2e108c), [`860b3c7`](860b3c7), [`f8c842c`](f8c842c), [`d3aa5fe`](d3aa5fe), [`0dd7659`](0dd7659), [`03e9f66`](03e9f66), [`57b7b7b`](57b7b7b), [`4eabadc`](4eabadc), [`6fbf2b6`](6fbf2b6), [`276744d`](276744d), [`8740132`](8740132), [`f430a68`](f430a68), [`1c7a8dc`](1c7a8dc)]: - @sveltejs/kit@2.66.0 Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
huskas-2189
pushed a commit
to huskas-2189/Bookmark
that referenced
this pull request
Jun 20, 2026
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@sveltejs/kit](https://svelte.dev) ([source](https://github.com/sveltejs/kit/tree/HEAD/packages/kit)) | [`2.65.1` → `2.66.0`](https://renovatebot.com/diffs/npm/@sveltejs%2fkit/2.65.1/2.66.0) |  |  | --- ### Release Notes <details> <summary>sveltejs/kit (@​sveltejs/kit)</summary> ### [`v2.66.0`](https://github.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#2660) [Compare Source](https://github.com/sveltejs/kit/compare/@sveltejs/kit@2.65.2...@sveltejs/kit@2.66.0) ##### Minor Changes - feat: precompress prerendered `.md` and `.mdx` files ([#​15893](sveltejs/kit#15893)) - feat: warn the user when they forget to make boolean inputs optional in their form schemas ([#​15804](sveltejs/kit#15804)) ##### Patch Changes - fix: blur active element before component update during navigation so that blur/focusout handlers fire while old component data is still valid ([#​15452](sveltejs/kit#15452)) - fix: ensure `base` is available from `$service-worker` during development ([#​15882](sveltejs/kit#15882)) - fix: use correct relative asset paths when rendering an error page for a missing `__data.json` request ([#​15884](sveltejs/kit#15884)) - fix: preserve active `for await` consumers across `query.live` reconnects ([#​16022](sveltejs/kit#16022)) - fix: settle `query.live` reconnect promise on all exit paths, preventing `invalidateAll()` from deadlocking when a live query is offline or interrupted ([#​16022](sveltejs/kit#16022)) - fix: preserve last value when a `query.live` stream completes without yielding on reconnect ([#​16022](sveltejs/kit#16022)) - fix: remove `types: ['node']` from generated tsconfig to avoid errors when `@types/node` is not installed ([#​15709](sveltejs/kit#15709)) - fix: prefer pages over endpoints when prerendering ([#​16076](sveltejs/kit#16076)) - fix: restore snapshots after afterNavigate callbacks ([#​16066](sveltejs/kit#16066)) - fix: support `ws:`/`wss:` and `trusted-types-eval` for CSP sources ([#​15938](sveltejs/kit#15938)) - fix: omit empty `file` inputs from remote form data ([#​15898](sveltejs/kit#15898)) - fix: fail early if a route with `+page` and `+server` is marked as prerenderable ([#​16075](sveltejs/kit#16075)) - fix: wait a tick before resetting forms ([#​15805](sveltejs/kit#15805)) - fix: `preflight` schemas apply correctly when chained before `for` ([#​15863](sveltejs/kit#15863)) - fix: blank page in SPA mode when root layout `load()` throws ([#​15798](sveltejs/kit#15798)) - fix: pass all unknown options from the `sveltekit` Vite plugin through to `vite-plugin-svelte` ([#​16010](sveltejs/kit#16010)) ### [`v2.65.2`](https://github.com/sveltejs/kit/blob/HEAD/packages/kit/CHANGELOG.md#2652) [Compare Source](https://github.com/sveltejs/kit/compare/@sveltejs/kit@2.65.1...@sveltejs/kit@2.65.2) ##### Patch Changes - fix: throw an error when prerendering a root +server.js that returns a non-HTML response ([#​15994](sveltejs/kit#15994)) - fix: decode base64-serialized fetch bodies before caching them for client-side replay ([#​16034](sveltejs/kit#16034)) - fix: correctly access explicit dynamic public environment variables from prerendered pages and service workers ([#​16024](sveltejs/kit#16024)) - fix: allow `preloadCode` to be called during initial page load ([#​16028](sveltejs/kit#16028)) - fix: send `cache-control: private, no-store` on remote function responses so personalized query results can never be cached by shared caches ([#​16020](sveltejs/kit#16020)) - fix: preserve the HTTP status and error body when a remote function request fails in transport (e.g. a 401/403 from a `handle` hook), instead of reporting a generic 500 ([#​16021](sveltejs/kit#16021)) - fix: avoid loading universal nodes during build analysis when the app uses a hash router ([#​16042](sveltejs/kit#16042)) - fix: correctly serve client entry during development when using the pnpm global virtual store ([#​16045](sveltejs/kit#16045)) - fix: normalize path separators when comparing config ([#​16037](sveltejs/kit#16037)) - fix: ensure `building` resolves correctly to allow avoiding build-time explicit environment variable validation ([#​16058](sveltejs/kit#16058)) - fix: prevent unhandled promise rejections when remote function failures are consumed via `current`/`error` instead of `await` ([#​16018](sveltejs/kit#16018)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled because a matching PR was automerged previously. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjAuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIyMC4wIiwidGFyZ2V0QnJhbmNoIjoiZGV2ZWxvcCIsImxhYmVscyI6W119--> Reviewed-on: https://codeberg.org/huskas-2189/Bookmark/pulls/126
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
could not find an issue which references this problem
currently defining websockets inside CSP directives will throw a type error:
additionally base sources don't support trusted-types-eval, which is part of the spec https://www.w3.org/TR/CSP3/#grammardef-keyword-source
there are also other missing values, however I have not used them, so I don't know how to verify them
this fixes that, its a very minor change
unsure if this should be a fix or a chore, as in theory it doesn't change any runtime behavior, and is only development tooling related
Please don't delete this checklist! Before submitting the PR, please make sure you do the following:
Tests
pnpm testand lint the project withpnpm lintandpnpm checkChangesets
pnpm changesetand following the prompts. Changesets that add features should beminorand those that fix bugs should bepatch. Please prefix changeset messages withfeat:,fix:, orchore:.Edits