astro 5.8.1 → 5.9.0

package/dist/core/constants.js

@@ -1,4 +1,4 @@
-const ASTRO_VERSION = "5.8.1";
+const ASTRO_VERSION = "5.9.0";
 const REROUTE_DIRECTIVE_HEADER = "X-Astro-Reroute";
 const REWRITE_DIRECTIVE_HEADER_KEY = "X-Astro-Rewrite";
 const REWRITE_DIRECTIVE_HEADER_VALUE = "yes";

package/dist/core/csp/common.d.ts

@@ -0,0 +1,16 @@
+import type { AstroSettings } from '../../types/astro.js';
+import type { AstroConfig, CspAlgorithm } from '../../types/public/index.js';
+import type { BuildInternals } from '../build/internal.js';
+import type { CspDirective } from './config.js';
+type EnabledCsp = Exclude<AstroConfig['experimental']['csp'], false>;
+export declare function shouldTrackCspHashes(csp: any): csp is EnabledCsp;
+export declare function getAlgorithm(csp: EnabledCsp): CspAlgorithm;
+export declare function getScriptHashes(csp: EnabledCsp): string[];
+export declare function getScriptResources(csp: EnabledCsp): string[];
+export declare function getStyleHashes(csp: EnabledCsp): string[];
+export declare function getStyleResources(csp: EnabledCsp): string[];
+export declare function getDirectives(csp: EnabledCsp): CspDirective[];
+export declare function getStrictDynamic(csp: EnabledCsp): boolean;
+export declare function trackStyleHashes(internals: BuildInternals, settings: AstroSettings, algorithm: CspAlgorithm): Promise<string[]>;
+export declare function trackScriptHashes(internals: BuildInternals, settings: AstroSettings, algorithm: CspAlgorithm): Promise<string[]>;
+export {};

package/dist/core/csp/common.js

@@ -0,0 +1,116 @@
+import { readFileSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import { ISLAND_STYLES } from "../../runtime/server/astro-island-styles.js";
+import astroIslandPrebuiltDev from "../../runtime/server/astro-island.prebuilt-dev.js";
+import astroIslandPrebuilt from "../../runtime/server/astro-island.prebuilt.js";
+import { generateCspDigest } from "../encryption.js";
+function shouldTrackCspHashes(csp) {
+  return csp === true || typeof csp === "object";
+}
+function getAlgorithm(csp) {
+  if (csp === true) {
+    return "SHA-256";
+  }
+  return csp.algorithm;
+}
+function getScriptHashes(csp) {
+  if (csp === true) {
+    return [];
+  } else {
+    return csp.scriptDirective?.hashes ?? [];
+  }
+}
+function getScriptResources(csp) {
+  if (csp === true) {
+    return [];
+  }
+  return csp.scriptDirective?.resources ?? [];
+}
+function getStyleHashes(csp) {
+  if (csp === true) {
+    return [];
+  }
+  return csp.styleDirective?.hashes ?? [];
+}
+function getStyleResources(csp) {
+  if (csp === true) {
+    return [];
+  }
+  return csp.styleDirective?.resources ?? [];
+}
+function getDirectives(csp) {
+  if (csp === true) {
+    return [];
+  }
+  return csp.directives ?? [];
+}
+function getStrictDynamic(csp) {
+  if (csp === true) {
+    return false;
+  }
+  return csp.scriptDirective?.strictDynamic ?? false;
+}
+async function trackStyleHashes(internals, settings, algorithm) {
+  const clientStyleHashes = [];
+  for (const [_, page] of internals.pagesByViteID.entries()) {
+    for (const style of page.styles) {
+      if (style.sheet.type === "inline") {
+        clientStyleHashes.push(await generateCspDigest(style.sheet.content, algorithm));
+      }
+    }
+  }
+  for (const clientAsset in internals.clientChunksAndAssets) {
+    const contents = readFileSync(
+      fileURLToPath(new URL(clientAsset, settings.config.build.client)),
+      "utf-8"
+    );
+    if (clientAsset.endsWith(".css") || clientAsset.endsWith(".css")) {
+      clientStyleHashes.push(await generateCspDigest(contents, algorithm));
+    }
+  }
+  if (settings.renderers.length > 0) {
+    clientStyleHashes.push(await generateCspDigest(ISLAND_STYLES, algorithm));
+  }
+  return clientStyleHashes;
+}
+async function trackScriptHashes(internals, settings, algorithm) {
+  const clientScriptHashes = [];
+  for (const script of internals.inlinedScripts.values()) {
+    clientScriptHashes.push(await generateCspDigest(script, algorithm));
+  }
+  for (const directiveContent of Array.from(settings.clientDirectives.values())) {
+    clientScriptHashes.push(await generateCspDigest(directiveContent, algorithm));
+  }
+  for (const clientAsset in internals.clientChunksAndAssets) {
+    const contents = readFileSync(
+      fileURLToPath(new URL(clientAsset, settings.config.build.client)),
+      "utf-8"
+    );
+    if (clientAsset.endsWith(".js") || clientAsset.endsWith(".mjs")) {
+      clientScriptHashes.push(await generateCspDigest(contents, algorithm));
+    }
+  }
+  for (const script of settings.scripts) {
+    const { content, stage } = script;
+    if (stage === "head-inline" || stage === "before-hydration") {
+      clientScriptHashes.push(await generateCspDigest(content, algorithm));
+    }
+  }
+  if (settings.renderers.length > 0) {
+    clientScriptHashes.push(await generateCspDigest(astroIslandPrebuilt, algorithm));
+    clientScriptHashes.push(await generateCspDigest(astroIslandPrebuiltDev, algorithm));
+  }
+  return clientScriptHashes;
+}
+export {
+  getAlgorithm,
+  getDirectives,
+  getScriptHashes,
+  getScriptResources,
+  getStrictDynamic,
+  getStyleHashes,
+  getStyleResources,
+  shouldTrackCspHashes,
+  trackScriptHashes,
+  trackStyleHashes
+};

package/dist/core/csp/config.d.ts

@@ -0,0 +1,16 @@
+import { z } from 'zod';
+export declare const ALGORITHMS: {
+    readonly 'SHA-256': "sha256-";
+    readonly 'SHA-384': "sha384-";
+    readonly 'SHA-512': "sha512-";
+};
+type Algorithms = typeof ALGORITHMS;
+export type CspAlgorithm = keyof Algorithms;
+export declare const cspAlgorithmSchema: z.ZodDefault<z.ZodOptional<z.ZodEnum<["SHA-256", "SHA-384", "SHA-512"]>>>;
+export declare const cspHashSchema: z.ZodType<`sha256-${string}` | `sha384-${string}` | `sha512-${string}`, z.ZodTypeDef, `sha256-${string}` | `sha384-${string}` | `sha512-${string}`>;
+export type CspHash = z.infer<typeof cspHashSchema>;
+declare const ALLOWED_DIRECTIVES: readonly ["base-uri", "child-src", "connect-src", "default-src", "fenced-frame-src", "font-src", "form-action", "frame-ancestors", "frame-src", "img-src", "manifest-src", "media-src", "object-src", "referrer", "report-to", "require-trusted-types-for", "sandbox", "trusted-types", "upgrade-insecure-requests", "worker-src"];
+export type CspDirective = `${AllowedDirectives} ${string}`;
+export declare const allowedDirectivesSchema: z.ZodType<`base-uri ${string}` | `child-src ${string}` | `connect-src ${string}` | `default-src ${string}` | `fenced-frame-src ${string}` | `font-src ${string}` | `form-action ${string}` | `frame-ancestors ${string}` | `frame-src ${string}` | `img-src ${string}` | `manifest-src ${string}` | `media-src ${string}` | `object-src ${string}` | `referrer ${string}` | `report-to ${string}` | `require-trusted-types-for ${string}` | `sandbox ${string}` | `trusted-types ${string}` | `upgrade-insecure-requests ${string}` | `worker-src ${string}`, z.ZodTypeDef, `base-uri ${string}` | `child-src ${string}` | `connect-src ${string}` | `default-src ${string}` | `fenced-frame-src ${string}` | `font-src ${string}` | `form-action ${string}` | `frame-ancestors ${string}` | `frame-src ${string}` | `img-src ${string}` | `manifest-src ${string}` | `media-src ${string}` | `object-src ${string}` | `referrer ${string}` | `report-to ${string}` | `require-trusted-types-for ${string}` | `sandbox ${string}` | `trusted-types ${string}` | `upgrade-insecure-requests ${string}` | `worker-src ${string}`>;
+type AllowedDirectives = (typeof ALLOWED_DIRECTIVES)[number];
+export {};

package/dist/core/csp/config.js

@@ -0,0 +1,52 @@
+import { z } from "zod";
+const ALGORITHMS = {
+  "SHA-256": "sha256-",
+  "SHA-384": "sha384-",
+  "SHA-512": "sha512-"
+};
+const ALGORITHM_VALUES = Object.values(ALGORITHMS);
+const cspAlgorithmSchema = z.enum(Object.keys(ALGORITHMS)).optional().default("SHA-256");
+const cspHashSchema = z.custom((value) => {
+  if (typeof value !== "string") {
+    return false;
+  }
+  return ALGORITHM_VALUES.some((allowedValue) => {
+    return value.startsWith(allowedValue);
+  });
+});
+const ALLOWED_DIRECTIVES = [
+  "base-uri",
+  "child-src",
+  "connect-src",
+  "default-src",
+  "fenced-frame-src",
+  "font-src",
+  "form-action",
+  "frame-ancestors",
+  "frame-src",
+  "img-src",
+  "manifest-src",
+  "media-src",
+  "object-src",
+  "referrer",
+  "report-to",
+  "require-trusted-types-for",
+  "sandbox",
+  "trusted-types",
+  "upgrade-insecure-requests",
+  "worker-src"
+];
+const allowedDirectivesSchema = z.custom((value) => {
+  if (typeof value !== "string") {
+    return false;
+  }
+  return ALLOWED_DIRECTIVES.some((allowedValue) => {
+    return value.startsWith(allowedValue);
+  });
+});
+export {
+  ALGORITHMS,
+  allowedDirectivesSchema,
+  cspAlgorithmSchema,
+  cspHashSchema
+};

package/dist/core/dev/dev.js

@@ -22,7 +22,7 @@ async function dev(inlineConfig) {
   await telemetry.record([]);
   const restart = await createContainerWithAutomaticRestart({ inlineConfig, fs });
   const logger = restart.container.logger;
-  const currentVersion = "5.8.1";
+  const currentVersion = "5.9.0";
   const isPrerelease = currentVersion.includes("-");
   if (!isPrerelease) {
     try {

package/dist/core/encryption.d.ts

@@ -1,3 +1,5 @@
+import type { CspAlgorithm } from '../types/public/index.js';
+import { type CspHash } from './csp/config.js';
 /**
  * Creates a CryptoKey object that can be used to encrypt any string.
  */
@@ -26,3 +28,9 @@ export declare function encryptString(key: CryptoKey, raw: string): Promise<stri
  * Takes a base64 encoded string, decodes it and returns the decrypted text.
  */
 export declare function decryptString(key: CryptoKey, encoded: string): Promise<string>;
+/**
+ * Generates an SHA-256 digest of the given string.
+ * @param {string} data The string to hash.
+ * @param {CspAlgorithm} algorithm The algorithm to use.
+ */
+export declare function generateCspDigest(data: string, algorithm: CspAlgorithm): Promise<CspHash>;

package/dist/core/encryption.js

@@ -1,4 +1,5 @@
 import { decodeBase64, decodeHex, encodeBase64, encodeHexUpperCase } from "@oslojs/encoding";
+import { ALGORITHMS } from "./csp/config.js";
 const ALGORITHM = "AES-GCM";
 async function createKey() {
   const key = await crypto.subtle.generateKey(
@@ -66,12 +67,18 @@ async function decryptString(key, encoded) {
   const decryptedString = decoder.decode(decryptedBuffer);
   return decryptedString;
 }
+async function generateCspDigest(data, algorithm) {
+  const hashBuffer = await crypto.subtle.digest(algorithm, encoder.encode(data));
+  const hash = encodeBase64(new Uint8Array(hashBuffer));
+  return `${ALGORITHMS[algorithm]}${hash}`;
+}
 export {
   createKey,
   decodeKey,
   decryptString,
   encodeKey,
   encryptString,
+  generateCspDigest,
   getEnvironmentKey,
   hasEnvironmentKey
 };

package/dist/core/errors/errors-data.d.ts

@@ -1230,6 +1230,18 @@ export declare const FontFamilyNotFound: {
     message: (family: string) => string;
     hint: string;
 };
+/**
+ * @docs
+ * @description
+ * The CSP feature isn't enabled
+ * @message
+ * The `experimental.csp` configuration isn't enabled.
+ */
+export declare const CspNotEnabled: {
+    name: string;
+    title: string;
+    message: string;
+};
 /**
  * @docs
  * @kind heading

package/dist/core/errors/errors-data.js

@@ -464,6 +464,11 @@ const FontFamilyNotFound = {
   message: (family) => `No data was found for the \`"${family}"\` family passed to the \`<Font>\` component.`,
   hint: "This is often caused by a typo. Check that your Font component is using a `cssVariable` specified in your config."
 };
+const CspNotEnabled = {
+  name: "CspNotEnabled",
+  title: "CSP feature isn't enabled",
+  message: "The `experimental.csp` configuration isn't enabled."
+};
 const UnknownCSSError = {
   name: "UnknownCSSError",
   title: "Unknown CSS Error."
@@ -736,6 +741,7 @@ export {
   ContentLoaderReturnsInvalidId,
   ContentSchemaContainsSlugError,
   CouldNotTransformImage,
+  CspNotEnabled,
   DataCollectionEntryParseError,
   DuplicateContentEntrySlugError,
   EndpointDidNotReturnAResponse,

package/dist/core/messages.js

@@ -37,7 +37,7 @@ function serverStart({
   host,
   base
 }) {
-  const version = "5.8.1";
+  const version = "5.9.0";
   const localPrefix = `${dim("\u2503")} Local    `;
   const networkPrefix = `${dim("\u2503")} Network  `;
   const emptyPrefix = " ".repeat(11);
@@ -274,7 +274,7 @@ function printHelp({
     message.push(
       linebreak(),
       `  ${bgGreen(black(` ${commandName} `))} ${green(
-        `v${"5.8.1"}`
+        `v${"5.9.0"}`
       )} ${headline}`
     );
   }

package/dist/core/middleware/index.js

@@ -82,6 +82,16 @@ function createContext({
     },
     set locals(_) {
       throw new AstroError(AstroErrorData.LocalsReassigned);
+    },
+    insertDirective() {
+    },
+    insertScriptResource() {
+    },
+    insertStyleResource() {
+    },
+    insertScriptHash() {
+    },
+    insertStyleHash() {
     }
   };
   return Object.assign(context, {

package/dist/core/middleware/sequence.js

@@ -25,11 +25,11 @@ function sequence(...handlers) {
             if (payload instanceof Request) {
               newRequest = payload;
             } else if (payload instanceof URL) {
-              newRequest = new Request(payload, handleContext.request);
+              newRequest = new Request(payload, handleContext.request.clone());
             } else {
               newRequest = new Request(
                 new URL(payload, handleContext.url.origin),
-                handleContext.request
+                handleContext.request.clone()
               );
             }
             const oldPathname = handleContext.url.pathname;

package/dist/core/render-context.d.ts

@@ -38,6 +38,7 @@ export declare class RenderContext {
      * A safety net in case of loops
      */
     counter: number;
+    result: SSRResult | undefined;
     static create({ locals, middleware, pathname, pipeline, request, routeData, clientAddress, status, props, partial, actions, }: Pick<RenderContext, 'pathname' | 'pipeline' | 'request' | 'routeData' | 'clientAddress'> & Partial<Pick<RenderContext, 'locals' | 'middleware' | 'status' | 'props' | 'partial' | 'actions'>>): Promise<RenderContext>;
     /**
      * The main function of the RenderContext.

package/dist/core/render-context.js

@@ -20,7 +20,7 @@ import {
 } from "./constants.js";
 import { AstroCookies, attachCookiesToResponse } from "./cookies/index.js";
 import { getCookiesFromResponse } from "./cookies/response.js";
-import { ForbiddenRewrite } from "./errors/errors-data.js";
+import { CspNotEnabled, ForbiddenRewrite } from "./errors/errors-data.js";
 import { AstroError, AstroErrorData } from "./errors/index.js";
 import { callMiddleware } from "./middleware/callMiddleware.js";
 import { sequence } from "./middleware/index.js";
@@ -56,6 +56,7 @@ class RenderContext {
    * A safety net in case of loops
    */
   counter = 0;
+  result = void 0;
   static async create({
     locals = {},
     middleware,
@@ -181,10 +182,10 @@ class RenderContext {
         case "redirect":
           return renderRedirect(this);
         case "page": {
-          const result = await this.createResult(componentInstance, actionApiContext);
+          this.result = await this.createResult(componentInstance, actionApiContext);
           try {
             response2 = await renderPage(
-              result,
+              this.result,
               componentInstance?.default,
               props,
               slots,
@@ -192,7 +193,7 @@ class RenderContext {
               this.routeData
             );
           } catch (e) {
-            result.cancelled = true;
+            this.result.cancelled = true;
             throw e;
           }
           response2.headers.set(ROUTE_TYPE_HEADER, "page");
@@ -324,6 +325,36 @@ class RenderContext {
           return void 0;
         }
         return renderContext.session;
+      },
+      insertDirective(payload) {
+        if (!pipeline.manifest.csp) {
+          throw new AstroError(CspNotEnabled);
+        }
+        renderContext.result?.directives.push(payload);
+      },
+      insertScriptResource(resource) {
+        if (!pipeline.manifest.csp) {
+          throw new AstroError(CspNotEnabled);
+        }
+        renderContext.result?.scriptResources.push(resource);
+      },
+      insertStyleResource(resource) {
+        if (!pipeline.manifest.csp) {
+          throw new AstroError(CspNotEnabled);
+        }
+        renderContext.result?.styleResources.push(resource);
+      },
+      insertStyleHash(hash) {
+        if (!pipeline.manifest.csp) {
+          throw new AstroError(CspNotEnabled);
+        }
+        renderContext.result?.styleHashes.push(hash);
+      },
+      insertScriptHash(hash) {
+        if (!!pipeline.manifest.csp === false) {
+          throw new AstroError(CspNotEnabled);
+        }
+        renderContext.result?.scriptHashes.push(hash);
       }
     };
   }
@@ -380,8 +411,19 @@ class RenderContext {
         hasRenderedServerIslandRuntime: false,
         headInTree: false,
         extraHead: [],
+        extraStyleHashes: [],
+        extraScriptHashes: [],
         propagators: /* @__PURE__ */ new Set()
-      }
+      },
+      shouldInjectCspMetaTags: !!manifest.csp,
+      cspAlgorithm: manifest.csp?.algorithm ?? "SHA-256",
+      // The following arrays must be cloned, otherwise they become mutable across routes.
+      scriptHashes: manifest.csp?.scriptHashes ? [...manifest.csp.scriptHashes] : [],
+      scriptResources: manifest.csp?.scriptResources ? [...manifest.csp.scriptResources] : [],
+      styleHashes: manifest.csp?.styleHashes ? [...manifest.csp.styleHashes] : [],
+      styleResources: manifest.csp?.styleResources ? [...manifest.csp.styleResources] : [],
+      directives: manifest.csp?.directives ? [...manifest.csp.directives] : [],
+      isStrictDynamic: manifest.csp?.isStrictDynamic ?? false
     };
     return result;
   }
@@ -494,6 +536,36 @@ class RenderContext {
       url,
       get originPathname() {
         return getOriginPathname(renderContext.request);
+      },
+      insertDirective(payload) {
+        if (!pipeline.manifest.csp) {
+          throw new AstroError(CspNotEnabled);
+        }
+        renderContext.result?.directives.push(payload);
+      },
+      insertScriptResource(resource) {
+        if (!pipeline.manifest.csp) {
+          throw new AstroError(CspNotEnabled);
+        }
+        renderContext.result?.scriptResources.push(resource);
+      },
+      insertStyleResource(resource) {
+        if (!pipeline.manifest.csp) {
+          throw new AstroError(CspNotEnabled);
+        }
+        renderContext.result?.styleResources.push(resource);
+      },
+      insertStyleHash(hash) {
+        if (!pipeline.manifest.csp) {
+          throw new AstroError(CspNotEnabled);
+        }
+        renderContext.result?.styleHashes.push(hash);
+      },
+      insertScriptHash(hash) {
+        if (!!pipeline.manifest.csp === false) {
+          throw new AstroError(CspNotEnabled);
+        }
+        renderContext.result?.scriptHashes.push(hash);
       }
     };
   }