✨ [RUM-139] Add CSP trusted-types support#4854
Draft
mormubis wants to merge 1 commit into
Draft
Conversation
Bundles Sizes Evolution
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
When a customer uses
require-trusted-types-for 'script'in their CSP, two things break. The compression worker fails becausenew Worker(url)with a plain string is blocked. The session replay recorder fails because Webpack loads lazy chunks by settingscriptElement.src = url, which is also blocked. Both produceTrustedScriptURLviolations and the SDK bails out.Fixes #3506. Jira: RUM-139.
Changes
Two fixes, one for each broken path.
For Webpack chunks: added
output.trustedTypes: { policyName: 'datadog-chunks' }inwebpack.base.ts. Webpack 5 has built-in support for this and handles thecreatePolicy/ fallback logic on its own.For the worker: added
getWorkerTrustedTypePolicy()indeflateWorker.tsthat creates adatadog-workerpolicy and wraps the URL throughcreateScriptURL()before passing it tonew Worker(). Falls back to a no-op passthrough in browsers without trusted types support.Two separate policies are needed because Webpack creates and owns its policy internally, so we can't reuse it. And you can't create two policies with the same name by default (the spec blocks it unless
allow-duplicatesis in the CSP).The third broken path from the ticket, the async CDN snippet's
.src = urlassignment, is not covered here. That one needs a documentation workaround rather than a code change.Test instructions
yarn test:e2e -g "Trusted Types"Or to test manually: start the dev server, open a page served with
require-trusted-types-for 'script'; trusted-types datadog-chunks datadog-workerheaders, and initialize RUM withcompressIntakeRequests: trueandsessionReplaySampleRate: 100. There should be no CSP violations in the console and both the worker (blob URL) and recorder chunk should load.Checklist