CSP build improvements: questions around contributing

[phacks]

Hey everyone! Long time Alpine user, first-time contributor 👋

I was looking at using the CSP build in the context of migrating a Chrome extension to using Manifest V3 (which prohibits unsafe-eval). I know the build isn’t ready yet, but I got curious about what it can and cannot do, and potentially contributing to it.

To do so, I started porting over the main AlpineJS test suite to the CSP build, and noted which tests failed, or required workarounds. I also worked on a proof-of-concept patch (not production ready!) that fixes some of these specs, mostly around x-model, x-for and x-bind, as well as adding support for boolean, numeric and string values (e.g. x-show: true).

I wrote about this ongoing effort (and a first pass at the patch) in this GitHub gist: https://gist.github.com/phacks/0991e8340bff6184c2c9d6793600315a. 

I’d be more than happy to improve this and turn this into a proper PR if there’s appetite, though I’d like to get feedback on the following before doing so:

• Are there efforts on the CSP build currently? If not, would you consider contributions to it?
• Is porting the entire main test suite for the CSP build desirable, or would it slow CI down too much/add too much maintenance burden?

Thanks in advance!

[tnylea]

@phacks would love it if you were to contribute some CSP fixes 😍

I was working on a few Chrome extensions and wanted to reach for Alpine; however, the non CSP version was preventing me from building Chrome extensions with manifest V3 because it was not considered secure. I tried using the CSP version in my extension but there were many issues and things that weren't working as you pointed out in your Gist.

Just know that there are probably many others who would love to have a working CSP version 🤘 I just didn't have the time to contribute and put the chrome extensions on the back-burner for now.

Hope you have a great day!

[browner12]

Yah, bumping this as I think it needs to be a priority to get a CSP build available. As stated, Chrome Manifest v3 will not work with the basic Alpine build due to CSP. We all know Google doesn't always stick to their sunset dates, but one thing I read said v2 extensions would not work after June 2023. They are already not accepting new v2 extensions into the Chrome store. That means we're playing with fire here.

One place this could be particularly harmful is with the AlpineJS devtools extension. I think this is a necessary tool to make sure the AlpineJS dev experience is great. I recently started rebuilding it, as it's clear there is no active work on the current version, but ran into this CSP issue. If we can get a functioning CSP build, I'll keep working on the devtools extension, but until then I'm SOL.

[Igloczek]

Anyone there managed to use the CSP build in a content script with Manifest V3 extension successfully?

For me the Alpine CSP starts fine, but I can't make any stuff to work, since it won't recognize the name of any component registered using Alpine.data.

Alpine Error: Alpine is unable to interpret the following expression using the CSP-friendly build: "componentName"

Most likely the sandboxing breaks something, but I don't really know how to debug it easily (i'd prefer to not spend hours checking it line by line in the debugger 😅).