tweak

elliott-with-the-longest-name-on-github · elliott-with-the-longest-name-on-github · commit 66f3255ac9c8 · 2025-12-09T12:19:00.000-07:00
diff --git a/packages/svelte/src/internal/server/renderer.js b/packages/svelte/src/internal/server/renderer.js
@@ -382,7 +382,7 @@ export class Renderer {
 	static render(component, options = {}) {
 		/** @type {AccumulatedContent | undefined} */
 		let sync;
-		/** @type {Promise<AccumulatedContent> | undefined} */
+		/** @type {Promise<AccumulatedContent & { hashes: { script: string[] } }> | undefined} */
 		let async;
 
 		const result = /** @type {RenderOutput} */ ({});
@@ -426,7 +426,7 @@ export class Renderer {
 								head: result.head,
 								body: result.body,
 								html: result.body,
-								hashes: { script: '' }
+								hashes: { script: [] }
 							});
 							return Promise.resolve(user_result);
 						}
@@ -521,7 +521,7 @@ export class Renderer {
 	 * @template {Record<string, any>} Props
 	 * @param {Component<Props>} component
 	 * @param {{ props?: Omit<Props, '$$slots' | '$$events'>; context?: Map<any, any>; idPrefix?: string; csp?: CspInternal }} options
-	 * @returns {Promise<AccumulatedContent & { hashes: { script: string } }>}
+	 * @returns {Promise<AccumulatedContent & { hashes: { script: string[] } }>}
 	 */
 	static async #render_async(component, options) {
 		const previous_context = ssr_context;
@@ -629,7 +629,7 @@ export class Renderer {
 	/**
 	 * @param {AccumulatedContent} content
 	 * @param {Renderer} renderer
-	 * @returns {AccumulatedContent & { hashes: { script: string } }}
+	 * @returns {AccumulatedContent & { hashes: { script: string[] } }}
 	 */
 	static #close_render(content, renderer) {
 		for (const cleanup of renderer.#collect_on_destroy()) {
@@ -647,7 +647,7 @@ export class Renderer {
 			head,
 			body,
 			hashes: {
-				script: renderer.global.csp.script_hashes.map((hash) => `'${hash}'`).join(' ')
+				script: renderer.global.csp.script_hashes
 			}
 		};
 	}
@@ -694,8 +694,11 @@ export class Renderer {
 		if (this.global.csp.nonce) {
 			csp_attr = ` nonce="${this.global.csp.nonce}"`;
 		} else if (this.global.csp.hash) {
+			// note to future selves: this doesn't need to be optimized with a Map<body, hash>
+			// because the it's impossible for identical data to occur multiple times in a single render
+			// (this would require the same hydratable key:value pair to be serialized multiple times)
 			const hash = await sha256(body);
-			this.global.csp.script_hashes.push(hash);
+			this.global.csp.script_hashes.push(`sha256-${hash}`);
 		}
 
 		return `<script${csp_attr}>${body}</script>`;
diff --git a/packages/svelte/src/internal/server/types.d.ts b/packages/svelte/src/internal/server/types.d.ts
@@ -45,7 +45,7 @@ export interface SyncRenderOutput {
 	/** HTML that goes somewhere into the `<body>` */
 	body: string;
 	hashes: {
-		script: string;
+		script: string[];
 	};
 }
 
diff --git a/packages/svelte/tests/server-side-rendering/samples/csp-hash/_config.js b/packages/svelte/tests/server-side-rendering/samples/csp-hash/_config.js
@@ -3,5 +3,5 @@ import { test } from '../../test';
 export default test({
 	mode: ['async'],
 	csp: { hash: true },
-	script_hashes: "'TbJbBVc8UZ9yf9YRlCZCPBDitel+IaSg0BXUsnAx0cA='"
+	script_hashes: ['sha256-TbJbBVc8UZ9yf9YRlCZCPBDitel+IaSg0BXUsnAx0cA=']
 });
diff --git a/packages/svelte/tests/server-side-rendering/samples/csp-nonce-precedence/_config.js b/packages/svelte/tests/server-side-rendering/samples/csp-nonce-precedence/_config.js
@@ -3,5 +3,5 @@ import { test } from '../../test';
 export default test({
 	mode: ['async'],
 	csp: { hash: true, nonce: 'test-nonce' },
-	script_hashes: ''
+	script_hashes: []
 });
diff --git a/packages/svelte/tests/server-side-rendering/test.ts b/packages/svelte/tests/server-side-rendering/test.ts
@@ -22,7 +22,7 @@ interface SSRTest extends BaseTest {
 	withoutNormalizeHtml?: boolean;
 	error?: string;
 	csp?: { nonce: string } | { hash: true };
-	script_hashes?: string;
+	script_hashes?: string[];
 }
 
 // TODO remove this shim when we can
@@ -145,7 +145,7 @@ const { test, run } = suite_with_variants<SSRTest, 'sync' | 'async', CompileOpti
 		}
 
 		if (config.script_hashes !== undefined) {
-			assert.equal(hashes.script, config.script_hashes);
+			assert.deepEqual(hashes.script, config.script_hashes);
 		}
 	}
 );
diff --git a/packages/svelte/types/index.d.ts b/packages/svelte/types/index.d.ts
@@ -2576,7 +2576,7 @@ declare module 'svelte/server' {
 		/** HTML that goes somewhere into the `<body>` */
 		body: string;
 		hashes: {
-			script: string;
+			script: string[];
 		};
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ export interface SyncRenderOutput {`
`45`	`45`	/** HTML that goes somewhere into the `<body>` */
`46`	`46`	`body: string;`
`47`	`47`	`hashes: {`
`48`		`- script: string;`
	`48`	`+ script: string[];`
`49`	`49`	`};`
`50`	`50`	`}`
`51`	`51`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ interface SSRTest extends BaseTest {`
`22`	`22`	`withoutNormalizeHtml?: boolean;`
`23`	`23`	`error?: string;`
`24`	`24`	`csp?: { nonce: string } \| { hash: true };`
`25`		`- script_hashes?: string;`
	`25`	`+ script_hashes?: string[];`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`// TODO remove this shim when we can`
`@@ -145,7 +145,7 @@ const { test, run } = suite_with_variants<SSRTest, 'sync' \| 'async', CompileOpti`
`145`	`145`	`}`
`146`	`146`
`147`	`147`	`if (config.script_hashes !== undefined) {`
`148`		`- assert.equal(hashes.script, config.script_hashes);`
	`148`	`+ assert.deepEqual(hashes.script, config.script_hashes);`
`149`	`149`	`}`
`150`	`150`	`}`
`151`	`151`	`);`
Original file line number	Diff line number	Diff line change
`@@ -2576,7 +2576,7 @@ declare module 'svelte/server' {`
`2576`	`2576`	/** HTML that goes somewhere into the `<body>` */
`2577`	`2577`	`body: string;`
`2578`	`2578`	`hashes: {`
`2579`		`- script: string;`
	`2579`	`+ script: string[];`
`2580`	`2580`	`};`
`2581`	`2581`	`}`
`2582`	`2582`