-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(security): support nonce in streaming SSR #3852
Conversation
🦋 Changeset detectedLatest commit: 0e55800 The changes in this PR will be included in the next version bump. This PR includes changesets to release 215 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Codecov ReportPatch coverage has no change and project coverage change:
Additional details and impacted files@@ Coverage Diff @@
## main #3852 +/- ##
==========================================
- Coverage 57.59% 57.45% -0.14%
==========================================
Files 672 650 -22
Lines 17794 17494 -300
Branches 3876 3826 -50
==========================================
- Hits 10249 10052 -197
+ Misses 6934 6824 -110
- Partials 611 618 +7 ☔ View full report in Codecov by Sentry. |
Summary
🤖 Generated by Copilot at 0e55800
This pull request adds support for using
nonce
in streaming server-side rendering (SSR) with nested routes.nonce
is a security attribute that helps prevent cross-site scripting attacks. The pull request updates the@modern-js/runtime
and@modern-js/utils
packages and modifies the filesDeferredDataScripts.node.tsx
,plugin.node.tsx
, andnestedRoutes.tsx
.Details
🤖 Generated by Copilot at 0e55800
@modern-js/runtime
and@modern-js/utils
packages, which fix the nonce support in streaming SSR (link)@modern-js/runtime
package to accept and pass thenonce
prop to the components and script elements that are responsible for rendering the deferred data scripts for the nested routes in streaming SSR (link, link, link, link, link, link, link, link)routerPlugin
function in the@modern-js/runtime
package to extract thenonce
value from thessrContext
object and pass it to theDeferredDataComponent
parameter of therenderNestedRoute
function (link, link)renderNestedRoute
function in the@modern-js/utils
package to accept and render theDeferredDataComponent
parameter, which can be a function that takes thenonce
prop (link, link)Related Issue
Checklist
pnpm run change
.