Avoiding inline script tag in built index.html

[ulf5]

It would be great if it was possible to avoid having the

import init from '/index-....js';init('/index-..._bg.wasm');

part of the html in a separate file and load it as a module, similar to React's INLINE_RUNTIME_CHUNK=false

This is so allowing script-src 'unsafe-inline' can be avoided when setting Content Security Policy headers.

[dnaka91]

That's a good point. I gave this a try by just appending the init('....wasm'); call to the end of the index....js file and changing the HTML line to <script type="module" src="/index....js"></script>. That worked just fine, so I think we can implement it rather easy.

I think a good place for this setting would be the special HTML link:

<!DOCTYPE html>
<html lang="en">
  <head>
    <link data-trunk rel="rust" data-no-inline>
    <!--                        ^ new option here -->
  </head>
  <body>
  </body>
</html>

If that is set, we simply append the call to the wasm-bindgen output (it updates the wasm file and generates the JS bindings file) and change the import statement in the output HTML. What do you think @thedodd ?

[oberien]

Is the additional attribute required? I'd argue that putting import ... in its own file and including that file from index.html could just be the default behaviour.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[ssokolow]

Since I care a great deal about proper CSP headers, I'm going to poke this to ward off the bot. If it's been fixed, let a human actively close it.

[ctron]

Since I care a great deal about proper CSP headers, I'm going to poke this to ward off the bot. If it's been fixed, let a human actively close it.

@ssokolow Honestly I am not sure what the state is. If you know more, maybe you could re-evaluate this. And of course: PRs welcome :)

[johan-smits]

@ctron now that #8 is working the main reason for it to fail with 0.20.1 is that it generates a script without a nonce.

<script type="module">
import init, * as bindings from '/app-ui-ca21138b3c5c8d36.js';
const wasm = await init('/app-ui-ca21138b3c5c8d36_bg.wasm');
 
 
window.wasmBindings = bindings;
 
 
dispatchEvent(new CustomEvent("TrunkApplicationStarted", {detail: {wasm}}));
 
</script>

Setting a nonce on this is the missing piece for the CSP to work.

In my server project I parse the html file and extract the nonce and integrity and provide these in the http header. But since it is missing I can't extract it.

I have created a PR for this #809