Package version
9.0.0
Describe the bug
Description
When configuring AdonisJS Shield CSP with the documented Vite keywords @viteDevUrl and @viteHmrUrl, the generated Content Security Policy appears to emit those keywords literally instead of resolving them to the Vite dev server URL and HMR WebSocket URL.
This causes the browser to block the Vite HMR WebSocket connection under connect-src.
Environment
- AdonisJS app running in HMR mode
- Local server:
http://localhost:3333
- Vite HMR WebSocket attempted at:
ws://localhost:24678
- Shield CSP enabled in report-only mode
- Browser: Chrome
Relevant Shield configuration
import env from '#start/env'
import app from '@adonisjs/core/services/app'
import { defineConfig } from '@adonisjs/shield'
const publicAssetOrigins = ['https://assets.feldistribution.com']
if (!app.inProduction) {
publicAssetOrigins.push('https://s3.us-east-005.backblazeb2.com')
}
const shieldConfig = defineConfig({
csp: {
enabled: env.get('CSP_ENABLED'),
directives: {
baseUri: [`'self'`],
formAction: [`'self'`],
frameAncors: [`'none'`],
defaultSrc: [`'self'`, '@viteDevUrl'],
connectSrc: [
`'self'`,
'@viteHmrUrl',
'https://analytics.feldistribution.com',
'https://www.google-analytics.com',
'https://region1.google-analytics.com',
'https://www.googletagmanager.com',
'https://www.googleadservices.com',
'https://googleads.g.doubleclick.net',
'https://www.google.com',
'https://www.google.ca',
'https://ad.doubleclick.net',
],
scriptSrc: [
`'self'`,
'@nonce',
'https://www.googletagmanager.com',
'https://analytics.feldistribution.com',
'https://www.googleadservices.com',
'https://googleads.g.doubleclick.net',
],
styleSrc: [`'self'`, '@nonce', `'unsafe-inline'`],
styleSrcAttr: [`'unsafe-inline'`],
fontSrc: [`'self'`],
frameSrc: [
`'self'`,
'https://www.google.com',
'https://www.youtube.com',
'https://www.youtube-nocookie.com',
],
imgSrc: [
`'self'`,
...publicAssetOrigins,
'data:',
'https://i.ytimg.com',
'https://*.googleusercontent.com',
'https://*.gstatic.com',
'https://www.google-analytics.com',
'https://www.googletagmanager.com',
'https://googleads.g.doubleclick.net',
'https://www.google.com',
'https://www.google.ca',
],
objectSrc: [`'none'`],
reportUri: ['/csp-report'],
},
reportOnly: env.get('CSP_REPORT_ONLY'),
},
})
export default shieldConfig
Actual behavior
The CSP violation report shows the policy still contains the raw keywords:
default-src 'self' @viteDevUrl;
connect-src 'self' @viteHmrUrl ...
The browser then blocks the Vite HMR websocket:
violated-directive: connect-src
effective-directive: connect-src
blocked-uri: ws://localhost:24678/?token=L-TsiGIT3QLz
source-file: http://localhost:3333/@vite/client
Full relevant report excerpt:
[15:10:22.658] WARN (25504): CSP violation report
csp: {
"csp-report": {
"document-uri": "http://localhost:3333/fr",
"referrer": "http://localhost:3333/fr",
"violated-directive": "connect-src",
"effective-directive": "connect-src",
"original-policy": "base-uri 'self';form-action 'self';frame-ancestors 'none';default-src 'self' @viteDevUrl;connect-src 'self' @viteHmrUrl https://analytics.feldistribution.com https://www.google-analytics.com https://region1.google-analytics.com https://www.googletagmanager.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://www.google.com https://www.google.ca https://ad.doubleclick.net;script-src 'self' 'nonce-jFaViDxm0jwvKG_9' https://www.googletagmanager.com https://analytics.feldistribution.com https://www.googleadservices.com https://googleads.g.doubleclick.net;style-src 'self' 'nonce-jFaViDxm0jwvKG_9' 'unsafe-inline';style-src-attr 'unsafe-inline';font-src 'self';frame-src 'self' https://www.google.com https://www.youtube.com https://www.youtube-nocookie.com;img-src 'self' https://assets.feldistribution.com https://s3.us-east-005.backblazeb2.com data: https://i.ytimg.com https://*.googleusercontent.com https://*.gstatic.com https://www.google-analytics.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://www.google.com https://www.google.ca;object-src 'none';report-uri /csp-report",
"disposition": "report",
"blocked-uri": "ws://localhost:24678/?token=L-TsiGIT3QLz",
"line-number": 745,
"column-number": 27,
"source-file": "http://localhost:3333/@vite/client",
"status-code": 200
}
}
Expected behavior
Based on the Shield documentation, @viteDevUrl should resolve to the Vite development server URL, and @viteHmrUrl should allow the HMR WebSocket connection.
I expected the emitted CSP to contain the resolved dev/HMR origins instead of the literal placeholder keywords.
Notes
Other CSP directives appear to be emitted correctly. For example, @nonce is resolved to an actual nonce value, and styleSrcAttr is emitted as style-src-attr 'unsafe-inline'.
The issue appears specific to the Vite CSP keywords not being resolved.
Reproduction repo
No response
Package version
9.0.0
Describe the bug
Description
When configuring AdonisJS Shield CSP with the documented Vite keywords
@viteDevUrland@viteHmrUrl, the generated Content Security Policy appears to emit those keywords literally instead of resolving them to the Vite dev server URL and HMR WebSocket URL.This causes the browser to block the Vite HMR WebSocket connection under
connect-src.Environment
http://localhost:3333ws://localhost:24678Relevant Shield configuration
Actual behavior
The CSP violation report shows the policy still contains the raw keywords:
The browser then blocks the Vite HMR websocket:
Full relevant report excerpt:
[15:10:22.658] WARN (25504): CSP violation report csp: { "csp-report": { "document-uri": "http://localhost:3333/fr", "referrer": "http://localhost:3333/fr", "violated-directive": "connect-src", "effective-directive": "connect-src", "original-policy": "base-uri 'self';form-action 'self';frame-ancestors 'none';default-src 'self' @viteDevUrl;connect-src 'self' @viteHmrUrl https://analytics.feldistribution.com https://www.google-analytics.com https://region1.google-analytics.com https://www.googletagmanager.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://www.google.com https://www.google.ca https://ad.doubleclick.net;script-src 'self' 'nonce-jFaViDxm0jwvKG_9' https://www.googletagmanager.com https://analytics.feldistribution.com https://www.googleadservices.com https://googleads.g.doubleclick.net;style-src 'self' 'nonce-jFaViDxm0jwvKG_9' 'unsafe-inline';style-src-attr 'unsafe-inline';font-src 'self';frame-src 'self' https://www.google.com https://www.youtube.com https://www.youtube-nocookie.com;img-src 'self' https://assets.feldistribution.com https://s3.us-east-005.backblazeb2.com data: https://i.ytimg.com https://*.googleusercontent.com https://*.gstatic.com https://www.google-analytics.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://www.google.com https://www.google.ca;object-src 'none';report-uri /csp-report", "disposition": "report", "blocked-uri": "ws://localhost:24678/?token=L-TsiGIT3QLz", "line-number": 745, "column-number": 27, "source-file": "http://localhost:3333/@vite/client", "status-code": 200 } }Expected behavior
Based on the Shield documentation,
@viteDevUrlshould resolve to the Vite development server URL, and@viteHmrUrlshould allow the HMR WebSocket connection.I expected the emitted CSP to contain the resolved dev/HMR origins instead of the literal placeholder keywords.
Notes
Other CSP directives appear to be emitted correctly. For example,
@nonceis resolved to an actual nonce value, andstyleSrcAttris emitted asstyle-src-attr 'unsafe-inline'.The issue appears specific to the Vite CSP keywords not being resolved.
Reproduction repo
No response