feat: add assets management

[eznix86]

• Add CSP Support (can be customized). It ensures the assets comes from you. It could be paired with a logic somewhere with a middleware. Laravel for now has a fixed nonce instead of having a different nonce per request.

• Added assets preloading strategy (like laravel)

  • no preloading (like before)
  • aggressive
  • waterfall

• added {{ viteAssets }} entrypoint can be set on the back or on the html.

• added {{ viteAssetsWithNonce .csp_nonce }} to be able to send csp nonce to render-renderer.

• added .CSPMiddleware() on vite instance.

• added integrity checking, there is a package for vite which write integrity for each files. The package is old, but it is just a single file and it works.

No breaking change. But it should be either {{ vite ....}} we can call it "manual" mode, or the new one, "automatic mode". Everything is opt-in.

as a note: some framework, like VueJS (tested) might include inline css. we can apply nonce with this

    <script nonce="{{.csp_nonce}}">        
        window.__CSP_NONCE__ = "{{.csp_nonce}}";
    </script>

# part of your application js entry point
function contentSecurityPolicy() {
  const nonce = window.__CSP_NONCE__;

  document.querySelectorAll("style").forEach((el) => {
    if (!el.hasAttribute("nonce")) el.setAttribute("nonce", nonce);
  });

  const observer = new MutationObserver((mutations) => {
    for (const mutation of mutations) {
      for (const node of mutation.addedNodes) {
        if (node.tagName === "STYLE" && !node.hasAttribute("nonce")) {
          node.setAttribute("nonce", nonce);
        }
      }
    }
  });

  observer.observe(document.head, { childList: true });
}

Basically

[romsar]

Hey @eznix86 is it still a draft?

[eznix86]

Hi, yes I am using it in another application. i am seeing what’s missing then i will remove the draft state.

[eznix86]

My current issue is that, I need to create a singleton to generate the nonce and share it between the template and the middleware, I am open for a better way to handle it !

[eznix86]

fixed, i've found a better way to manage csp. Let me know what you think!

[romsar]

fixed, i've found a better way to manage csp. Let me know what you think!

looks good, thanks!