CSP mechanism in case error.html served

[lstraka-telekom]

Hi,
I am a beginer in case of security ..I need to adapt CSP headers for our sveltekit project to be compliant with the company security compliance...One of the requirements says something about specifically handle also 404.html etc static error pages (in general I think its for webservers like nginx etc.) I ll try to simulate error, when the error.html is served to me, and I found that the response header does not contain CSP ...for a valid app.html it's works perfectly, so it use the directives set in svelte.config.js in kit.csp.directives[]..but for error.html it makes nothing ..Is that compliant? Or to adapt that I need some different workaround or what do you think ?? ...
Thanks for you replies...

[brunnerh]

kit.csp.directives not applying to the error page might be a bug.

Also, as noted in the docs of the csp configuration option:
You might be able to use the handle hook to add a custom CSP header.
(If it handles error.html as well.)

[lstraka-telekom]

Hi ..thx for reply ...would be ok ..but I found, that it's probably also bypass handle ...in other case of errors, it looks like everytime its handled via handleError and render the +error page or something like that, so it means it using app.html..I am trying to simulate and try to find a way how to obtain exactly error.html and the only one way how I try to simulate is that in env.ts file I add a restriction to some kind of variable..AUTH_SECRET: z.string().min(1).default(''), and in that case I got rendered error.html..Its failed because of ZodError not sure if thats the valid ...I have to investigate more ...Also not familiar with handling hook, to add some custom headers to the response

EDIT

Ok it looks like its behave different via running just deno task dev as it behave using deno task preview ..in preview the server will not start ..so no issue in that case and I did not find any other way how to use to render on a server error.html all other types of throw errors looks like act as rendered directly using app.html file and in that case its compliant

[brunnerh]

I recommend opening an issue about this (in the correct repository).
There should be some way of applying a CSP to error.html as well.