Hot Reloading ignores __webpack_nonce__

mgreystone commented 4 years ago

Operating System: Alpine (Docker)
Node Version: 10.16.3
NPM Version: 6.9.0
webpack Version: 4.37.0
style-loader Version: 1.0.0

Expected Behavior

When hot-reloading is enabled, style-loader should add <style> elements with a nonce attribute. The value of the nonce attribute should be the value of __webpack_nonce__.

Actual Behavior

<style> elements do not contain the nonce attribute. Styles are not applied. There is a content-security-policy error in the console, such as the following example.

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'nonce-mysecret'". Either the 'unsafe-inline' keyword, a hash ('sha256-LpjzYvTh3c/ORkLyxZ1XcnY3NdUH2gFMMdyhKwGAaw8='), or a nonce ('nonce-...') is required to enable inline execution.

Code

I made a repository to demonstrate this issue at https://github.com/mgreystone/test-style-loader-nonce/tree/45e3402c342036be2a412e4622802497b7c5dfa8

How Do We Reproduce?

Using hot-reload on webpack-dev-server, load a module that both

Sets the value of __webpack_nonce__ = 'secret'
Imports a css module via style-loader Use this on a server that responds a CSP header of `Content-Security-Policy: style-src 'nonce-secret'.

alexander-akait commented 4 years ago

Sorry for delay, i will look on this in near future

tec27 commented 4 years ago

A workaround to this that seems to work for me is to set the value via a DefinePlugin, e.g.

new webpack.DefinePlugin({
  __webpack_nonce__: 'window.__CSP_NONCE',
})

This results in all usages in all files being replaced with the reference to the window field, even when hot reloading. This plugin is before HotModuleReplacementPlugin for me, unsure if that makes a difference or not.

tooltonix commented 4 years ago

A workaround to this that seems to work for me is to set the value via a DefinePlugin, e.g.
new webpack.DefinePlugin({
  __webpack_nonce__: 'window.__CSP_NONCE',
})
This results in all usages in all files being replaced with the reference to the window field, even when hot reloading. This plugin is before HotModuleReplacementPlugin for me, unsure if that makes a difference or not.

I had the same problem - first fixed with this solution.

TannerS commented 1 year ago

Is there any updates to this issue bedsides the work around?

kglickman commented 9 months ago

This is not just an issue with hot reloading.

I have debugged this and the reason that it doesn't work is that injectStylesIntoStyleTag.js should set the nonce via __webpack_require__.nc like the javascript loader does. __webpack_nonce__ is not defined at the point that the code is run unless the workaround is used.

webpack-contrib / style-loader