Remove imagesizes and imagesrcset, add nonce

justbetter · Jan 27, 2025 · 944a3ad · 944a3ad
1 parent 375270b
commit 944a3ad
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -98,6 +98,14 @@ So we will not preload these images.
 
 If your html object tag contains `data=""` it will preload it.
 
+##### Nonce
+
+While the early hints module does support sending [nonce](https://laravel.com/docs/11.x/vite#content-security-policy-csp-nonce) across as well, we recommend against it. And use [integrity](https://laravel.com/docs/11.x/vite#subresource-integrity-sri) instead.
+
+Without hardcoding the nonce
+[Vite::useCspNonce($nonce);](https://laravel.com/docs/11.x/vite#content-security-policy-csp-nonce:~:text=Vite%3A%3AuseCspNonce(%24nonce)%3B)
+sending this in early hints will be useless as each request will send early hints with a stale nonce.
+
 ## Testing
 
 ``` bash

diff --git a/src/Listeners/AddFromBody.php b/src/Listeners/AddFromBody.php
@@ -21,15 +21,15 @@ public function handle(GenerateEarlyHints $event)
         $excludeKeywords = array_filter(config('http3earlyhints.exclude_keywords', []));
         $headers = $this->fetchLinkableNodes($event->response)
             ->flatMap(function ($element) {
-                [$src, $href, $data, $rel, $type, $crossorigin, $as, $fetchpriority, $integrity, $referrerpolicy, $imagesizes, $imagesrcset] = $element;
+                [$src, $href, $data, $rel, $type, $crossorigin, $as, $fetchpriority, $integrity, $nonce, $referrerpolicy] = $element;
                 $rel = $type === 'module' ? 'modulepreload' : $rel;
 
                 if ($rel === 'modulepreload' && empty($crossorigin)) {
                     // On module or modulepreload the crossorigin is REQUIRED https://github.com/whatwg/html/issues/1888
                     $crossorigin = 'anonymous';
                 }
 
-                $attributes = array_filter(@compact('crossorigin', 'as', 'fetchpriority', 'integrity', 'referrerpolicy', 'imagesizes', 'imagesrcset'));
+                $attributes = array_filter(@compact('crossorigin', 'as', 'fetchpriority', 'integrity', 'nonce', 'referrerpolicy'));
 
                 return [
                     $this->buildLinkHeader($href ?? '', $rel ?? null, $attributes),
@@ -71,7 +71,7 @@ protected function fetchLinkableNodes(Response $response): Collection
 
         return collect(
             $crawler->filter('link:not([rel*="icon"]):not([rel="canonical"]):not([rel="manifest"]):not([rel="alternate"]), script[src]:not([defer]):not([async]), *:not(picture)>img[src]:not([loading="lazy"]), object[data]')
-                ->extract(['src', 'href', 'data', 'rel', 'type', 'crossorigin', 'as', 'fetchpriority', 'integrity', 'referrerpolicy', 'imagesizes', 'imagesrcset'])
+                ->extract(['src', 'href', 'data', 'rel', 'type', 'crossorigin', 'as', 'fetchpriority', 'integrity', 'nonce', 'referrerpolicy'])
         );
     }