[Feature/Security]: Convert inline manifest into separate file to improve CSP default settings

[jceb]

Duplicates

• [X] I have searched the existing issues

Latest version

• [X] I have tested the latest version

Summary 💡

The SSR (https://github.com/solidjs/solid-start/blob/main/packages/start/server/StartServer.tsx#L76) and SPA (https://github.com/solidjs/solid-start/blob/main/packages/start/server/spa/StartServer.tsx#L20) version use an inline script to define window.manifest. This makes Content Security Policy more difficult implement and leads to the use of less safe deaults like: script-src 'unsafe-inline'.

Furthermore, Chrome and Firefox don't allow browser extensions to use the CSP setting script-src 'unsafe-inline' (https://developer.chrome.com/docs/extensions/reference/manifest/content-security-policy). Therefore, Solid start can't be used to build browser extensions at the moment.

To work around this issue, the inline script should be converted into an external file that's imported.

Examples 🌈

No response

Motivation 🔦

No response

[agmbk]

Currently using solid start with SSR, my manifest is 124kb, taking 70% of the size of my initial webpage. It is sent for any page refresh an user would make.

Separating the manifest as a normal asset, with a cache key, would allow the manifest to be cached by a CDN and by the client, thus making the website faster to load. The server would also support more requests per second, if it doesn't create and send this huge json every requests.

This is a pretty straightforward and important improvement that should not be overlooked.