Known Limitations
Double Build
⚠️ In case your SSR (dynamic) pages refer to static .js
or .css
files, and
any of these resources change, then you might have to run the astro build
command two consecutive times (Astro-Shield will emit a warning message
telling you about it in case it is needed).
We might try to improve this in the future, but there are some technical issues that make it hard to solve this problem in an elegant way.
Missing File Watcher
For now, Astro-Shield does not provide file watcher logic that would automatically regenerate the SRI hashes when files change.
This means that if you are running Astro in development mode (astro dev
), you
might have to manually run astro build
to avoid having stale SRI hashes that
break your local version of the site.
SRI & CSP spec limitations
When a script is loaded with a static import (e.g.
import { foo } from 'https://origin.com/script.js'
) rather than directly
included with a <script>
tag (e.g.
<script type="module" src="https://origin.com/script.js"></script>
), having
its hash present in the script-src
CSP directive is not enough to ensure that
the browser will accept it (the browser also wants you to provide information
that pairs the hash with a specific resource).
This, in itself, is not a limitation of Astro-Shield, but rather a limitation of the combination of current SRI and CSP specs.
Because of that, for now, it is advisable to add 'self'
to the script-src
directive (Astro-Shield does it for you).