feat: stabilise CSP

Author: ematipico

packages/astro/src/assets/fonts/vite-plugin-fonts.ts

@@ -195,8 +195,8 @@ export function fontsPlugin({ settings, sync, logger }: Options): Plugin {
 		consumableMap = res.consumableMap;
 
 		// Handle CSP
-		if (shouldTrackCspHashes(settings.config.experimental.csp)) {
-			const algorithm = getAlgorithm(settings.config.experimental.csp);
+		if (shouldTrackCspHashes(settings.config.security.csp)) {
+			const algorithm = getAlgorithm(settings.config.security.csp);
 
 			// Generate a hash for each style we generate
 			for (const { css } of internalConsumableMap.values()) {

packages/astro/src/core/build/generate.ts

@@ -667,7 +667,7 @@ async function generatePath(
 
 	if (
 		pipeline.settings.adapter?.adapterFeatures?.experimentalStaticHeaders &&
-		pipeline.settings.config.experimental?.csp
+		pipeline.settings.config.security?.csp
 	) {
 		routeToHeaders.set(pathname, { headers: responseHeaders, route: integrationRoute });
 	}
@@ -717,14 +717,14 @@ async function createBuildManifest(
 		};
 	}
 
-	if (shouldTrackCspHashes(settings.config.experimental.csp)) {
-		const algorithm = getAlgorithm(settings.config.experimental.csp);
+	if (shouldTrackCspHashes(settings.config.security.csp)) {
+		const algorithm = getAlgorithm(settings.config.security.csp);
 		const scriptHashes = [
-			...getScriptHashes(settings.config.experimental.csp),
+			...getScriptHashes(settings.config.security.csp),
 			...(await trackScriptHashes(internals, settings, algorithm)),
 		];
 		const styleHashes = [
-			...getStyleHashes(settings.config.experimental.csp),
+			...getStyleHashes(settings.config.security.csp),
 			...settings.injectedCsp.styleHashes,
 			...(await trackStyleHashes(internals, settings, algorithm)),
 		];
@@ -734,12 +734,12 @@ async function createBuildManifest(
 				? 'adapter'
 				: undefined,
 			styleHashes,
-			styleResources: getStyleResources(settings.config.experimental.csp),
+			styleResources: getStyleResources(settings.config.security.csp),
 			scriptHashes,
-			scriptResources: getScriptResources(settings.config.experimental.csp),
+			scriptResources: getScriptResources(settings.config.security.csp),
 			algorithm,
 			directives: getDirectives(settings),
-			isStrictDynamic: getStrictDynamic(settings.config.experimental.csp),
+			isStrictDynamic: getStrictDynamic(settings.config.security.csp),
 		};
 	}
 	return {

packages/astro/src/core/build/plugins/plugin-manifest.ts

@@ -321,14 +321,14 @@ async function buildManifest(
 
 	let csp: SSRManifestCSP | undefined = undefined;
 
-	if (shouldTrackCspHashes(settings.config.experimental.csp)) {
-		const algorithm = getAlgorithm(settings.config.experimental.csp);
+	if (shouldTrackCspHashes(settings.config.security.csp)) {
+		const algorithm = getAlgorithm(settings.config.security.csp);
 		const scriptHashes = [
-			...getScriptHashes(settings.config.experimental.csp),
+			...getScriptHashes(settings.config.security.csp),
 			...(await trackScriptHashes(internals, settings, algorithm)),
 		];
 		const styleHashes = [
-			...getStyleHashes(settings.config.experimental.csp),
+			...getStyleHashes(settings.config.security.csp),
 			...settings.injectedCsp.styleHashes,
 			...(await trackStyleHashes(internals, settings, algorithm)),
 		];
@@ -338,12 +338,12 @@ async function buildManifest(
 				? 'adapter'
 				: undefined,
 			scriptHashes,
-			scriptResources: getScriptResources(settings.config.experimental.csp),
+			scriptResources: getScriptResources(settings.config.security.csp),
 			styleHashes,
-			styleResources: getStyleResources(settings.config.experimental.csp),
+			styleResources: getStyleResources(settings.config.security.csp),
 			algorithm,
 			directives: getDirectives(settings),
-			isStrictDynamic: getStrictDynamic(settings.config.experimental.csp),
+			isStrictDynamic: getStrictDynamic(settings.config.security.csp),
 		};
 	}
 

packages/astro/src/core/config/schemas/base.ts

@@ -89,6 +89,7 @@ export const ASTRO_CONFIG_DEFAULTS = {
 	security: {
 		checkOrigin: true,
 		allowedDomains: [],
+		csp: false,
 	},
 	env: {
 		schema: {},
@@ -99,7 +100,6 @@ export const ASTRO_CONFIG_DEFAULTS = {
 	experimental: {
 		clientPrerender: false,
 		contentIntellisense: false,
-		csp: false,
 		chromeDevtoolsWorkspace: false,
 		svgo: false,
 	},
@@ -428,6 +428,29 @@ export const AstroConfigSchema = z.object({
 				)
 				.optional()
 				.default(ASTRO_CONFIG_DEFAULTS.security.allowedDomains),
+			csp: z
+				.union([
+					z.boolean().optional().default(ASTRO_CONFIG_DEFAULTS.security.csp),
+					z.object({
+						algorithm: cspAlgorithmSchema,
+						directives: z.array(allowedDirectivesSchema).optional(),
+						styleDirective: z
+							.object({
+								resources: z.array(z.string()).optional(),
+								hashes: z.array(cspHashSchema).optional(),
+							})
+							.optional(),
+						scriptDirective: z
+							.object({
+								resources: z.array(z.string()).optional(),
+								hashes: z.array(cspHashSchema).optional(),
+								strictDynamic: z.boolean().optional(),
+							})
+							.optional(),
+					}),
+				])
+				.optional()
+				.default(ASTRO_CONFIG_DEFAULTS.security.csp),
 		})
 		.optional()
 		.default(ASTRO_CONFIG_DEFAULTS.security),
@@ -478,29 +501,6 @@ export const AstroConfigSchema = z.object({
 				.optional()
 				.default(ASTRO_CONFIG_DEFAULTS.experimental.contentIntellisense),
 			fonts: z.array(z.union([localFontFamilySchema, remoteFontFamilySchema])).optional(),
-			csp: z
-				.union([
-					z.boolean().optional().default(ASTRO_CONFIG_DEFAULTS.experimental.csp),
-					z.object({
-						algorithm: cspAlgorithmSchema,
-						directives: z.array(allowedDirectivesSchema).optional(),
-						styleDirective: z
-							.object({
-								resources: z.array(z.string()).optional(),
-								hashes: z.array(cspHashSchema).optional(),
-							})
-							.optional(),
-						scriptDirective: z
-							.object({
-								resources: z.array(z.string()).optional(),
-								hashes: z.array(cspHashSchema).optional(),
-								strictDynamic: z.boolean().optional(),
-							})
-							.optional(),
-					}),
-				])
-				.optional()
-				.default(ASTRO_CONFIG_DEFAULTS.experimental.csp),
 			chromeDevtoolsWorkspace: z
 				.boolean()
 				.optional()

packages/astro/src/core/csp/common.ts

@@ -9,7 +9,7 @@ import type { BuildInternals } from '../build/internal.js';
 import { generateCspDigest } from '../encryption.js';
 import type { CspDirective } from './config.js';
 
-type EnabledCsp = Exclude<AstroConfig['experimental']['csp'], false>;
+type EnabledCsp = Exclude<AstroConfig['security']['csp'], false>;
 
 export function shouldTrackCspHashes(csp: any): csp is EnabledCsp {
 	return csp === true || typeof csp === 'object';
@@ -55,7 +55,7 @@ export function getStyleResources(csp: EnabledCsp): string[] {
 // because it has to collect and deduplicate font resources from both the user
 // config and the vite plugin for fonts
 export function getDirectives(settings: AstroSettings): CspDirective[] {
-	const { csp } = settings.config.experimental;
+	const { csp } = settings.config.security;
 	if (!shouldTrackCspHashes(csp)) {
 		return [];
 	}

packages/astro/src/core/dev/restart.ts

@@ -77,7 +77,7 @@ async function restartContainer(container: Container): Promise<Container | Error
 
 	try {
 		const { astroConfig } = await resolveConfig(container.inlineConfig, 'dev', container.fs);
-		if (astroConfig.experimental.csp) {
+		if (astroConfig.security.csp) {
 			logger.warn(
 				'config',
 				"Astro's Content Security Policy (CSP) does not work in development mode. To verify your CSP implementation, build the project and run the preview server.",
@@ -125,7 +125,7 @@ export async function createContainerWithAutomaticRestart({
 }: CreateContainerWithAutomaticRestart): Promise<Restart> {
 	const logger = createNodeLogger(inlineConfig ?? {});
 	const { userConfig, astroConfig } = await resolveConfig(inlineConfig ?? {}, 'dev', fs);
-	if (astroConfig.experimental.csp) {
+	if (astroConfig.security.csp) {
 		logger.warn(
 			'config',
 			"Astro's Content Security Policy (CSP) does not work in development mode. To verify your CSP implementation, build the project and run the preview server.",

packages/astro/src/core/errors/errors-data.ts

@@ -1410,12 +1410,12 @@ export const FontFamilyNotFound = {
  * @description
  * The CSP feature isn't enabled
  * @message
- * The `experimental.csp` configuration isn't enabled.
+ * The `security.csp` configuration isn't enabled.
  */
 export const CspNotEnabled = {
 	name: 'CspNotEnabled',
 	title: "CSP feature isn't enabled",
-	message: "The `experimental.csp` configuration isn't enabled.",
+	message: "The `security.csp` configuration isn't enabled.",
 } satisfies ErrorData;
 
 /**

packages/astro/src/types/astro.ts

@@ -29,7 +29,7 @@ export type SerializedRouteData = Omit<
 	};
 };
 
-type CspObject = Required<Exclude<AstroConfig['experimental']['csp'], boolean>>;
+type CspObject = Required<Exclude<AstroConfig['security']['csp'], boolean>>;
 
 export interface AstroSettings {
 	config: AstroConfig;