Open fdev opened 1 year ago
Hey, i'm facing a similar issue: I got a library that inject at runtime (in the browser) a script, that want to create some style tags but got refused by CSP, which is normal as they don't have nonce or sha 🤷
I tried to overwrite the csp header in getServerSideProps
(without using gsspWithNonce) by filtering the nonce and sha on style-src rule, but they are still present on the document sent to the browser.
Is there anything I din't understand or a workaround ? 🙏
Faced the same issue. It appears that the builder just applies nonce to style-src
if it's present, ignoring any config that might have told it not to
After running into too many issues getting strict inline styles to work, I've decided to use
unsafe-inline
forstyle-src
.I have configured
'style-src': ['self', 'unsafe-inline']
in the directives, but in production thestyle-src
still contains a nonce which disablesunsafe-inline
.It seems the only way to prevent this from happening is to remove the
gsspWithNonce
wrapper from my pages, but I do need the nonce forscript-src
.Is there a way to keep using a nonce for
script-src
, while being allowed to useunsafe-inline
forstyle-src
? I have dug through the code and issues but unfortunately came up empty.edit: Turns out the reason why my strict inline styles were failing is caused by another issue: Routing & Nonce Required #77