Vite Config cspNonce

[bnjmnrsh]

Astro Info

Astro                    v4.13.1
Node                     v21.7.3
System                   macOS (x64)
Package Manager          npm
Output                   static
Adapter                  none
Integrations             astro-icon
                         @kindspells/astro-shield
                         astro-purgecss

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

Passing the following config to Astro does not create the expected output as outlined in Vite's docs

import { defineConfig } from 'astro/config';

// https://astro.build/config
export default defineConfig({
  vite: {
    html: {
      cspNonce: '1234',
    },
  },
});

What's the expected result?

As per Vite's docs, a meta tag should be added to the head:

<meta property="csp-nonce" nonce="PLACEHOLDER" />

and scripts and styles should be given nonce="PLACEHOLDER" attributes.

Link to Minimal Reproducible Example

https://stackblitz.com/edit/astro-vite-cspnonce

Participation

• [ ] I am willing to submit a pull request for this issue.

[bluwy]

The Vite CSP config only applies to Vite-controlled HTML files only, which doesn't happen in Astro, so it doesn't work by default. If Astro were to support CSP configs, it'd probably be through its own Astro config, and I think it's more of a feature request in that case.

I think it would be better to create a discussion at https://github.com/withastro/roadmap if this is something you'd like to see. There's also https://github.com/withastro/roadmap/discussions/377 which seems somewhat related.

Closing this for now as we keep feature requests in the roadmap repo, and this isn't quite a bug in Astro.

[bnjmnrsh]

@bluwy Thank you for the explanation. The docs don't provide any guidance as to what of Vite's config can be modified. I'll open a separate issue to clarify this to save others time if they come down this road. I'll contribute to the roadmap discussions where I can.