Hacker News new | ask | show | jobs
by j13n 433 days ago
This is the second post I’ve seen praising Datastar in the last 24 hours, and once again no mention of the requirement to punch a gaping hole in one’s Content-Security-Policy.

If this is the framework of the future, cyber criminals are going to have a bright future!
4 comments
sudodevnull 433 days ago
That's the nature of anything that does this kind of work. React, Svelte, Solid. Alpine has a CSP version but it does so little that I recommend you just accept being a Web1 MPA basic site.

I have ideas around ways around this but it's a per language template middleware.

link
jazoom 433 days ago
Alpine CSP version works fine. You just can't write JS code in strings, which one may wish to avoid anyway.

I also didn't have a problem with CSP and HTMX.

Nor with SvelteKit.

I'm not sure why you think these are all equivalent to DataStar's hard requirement on unsafe-eval.

FYI, this is the reason I didn't try out DataStar.

link
pie_flavor 433 days ago
Svelte only requires a CSP hole in its default config as a standalone library; SvelteKit does proper CSP by default, and if you're not using SvelteKit you can build CSP handling into whatever you are using instead. I assume the others are the same way.
link
tauroid 432 days ago
Could you avoid eval by having a CSP mode that forces reactive expressions to only allow functions users have registered with datastar in a lookup table?
link
dpc_01234 433 days ago
Is there anything I could read detailed explanation of issue, in particular w.r.t datastar?
link
andersmurphy 432 days ago
Please don't cargo cult CSP without understanding it.

unsafe-eval constrained to function constructors without inline scripts is only a concern if you are rendering user submitted HTML (most common case I see is markdown). Regardless of your CSP configuration you should be sanitizing that user submitted HTML anyway.

link
max_ 433 days ago
How does this compare to HTMX (security wise)?
link
sudodevnull 433 days ago
Same, you control your signals and fragments. So you are responsible for proper escaping and thoughtful design.
link
j13n 433 days ago
You can disable all use of eval with htmx. The tradeoff is one has to write a bit more JavaScript.

https://news.ycombinator.com/item?id=43650921

link
sudodevnull 433 days ago
I have thoughts about a fully compliant CSP middleware, problem is it's per language so I'd probably only make for Go (maybe PHP & TS)
link
geoka9 433 days ago
Hashes or nonces?
link
sudodevnull 433 days ago
Hashed script content
link
geoka9 433 days ago
Thank you for doing this. Is it possible to follow the work somewhere?
link
nchmy 433 days ago
could you please elaborate on this?
link