From b00fd3ac0a12193970f123b393c8804ee43bc5cd Mon Sep 17 00:00:00 2001 From: sanjibani <18418553+sanjibani@users.noreply.github.com> Date: Sat, 27 Jun 2026 06:27:23 +0530 Subject: [PATCH] fix(csp): append nonce alongside existing directives instead of stripping 'unsafe-inline' Closes #3813 The csp middleware used replaceAll() to substitute any "'unsafe-inline'" with the per-request nonce, which forced the strict-CSP pattern that strips the fallback. This is exactly the wrong direction: web.dev's recommended strict-CSP fallback is to keep "'unsafe-inline'" alongside the nonce so older browsers that ignore nonces still work, while modern browsers prefer the nonce. Now the middleware simply appends the nonce to each inline directive (script-src, style-src, default-src, script-src-elem, style-src-elem, style-src-attr), preserving whatever the user wrote (including their "'unsafe-inline'" fallback). The default "'unsafe-inline'" entries remain in the rendered header alongside the nonce, matching the production pattern used by e.g. YouTube. Tests updated to assert the append behaviour; two new tests cover the explicit-fallback case and the strict-no-unsafe-inline case. --- docs/latest/plugins/csp.md | 11 ++- packages/fresh/src/middlewares/csp.ts | 21 +++-- packages/fresh/src/middlewares/csp_test.tsx | 91 +++++++++++++++++++-- 3 files changed, 105 insertions(+), 18 deletions(-) diff --git a/docs/latest/plugins/csp.md b/docs/latest/plugins/csp.md index adf7e6b6a8d..4ca76f46770 100644 --- a/docs/latest/plugins/csp.md +++ b/docs/latest/plugins/csp.md @@ -54,9 +54,14 @@ When `useNonce` is enabled: - Fresh automatically injects a unique `nonce` attribute onto every inline `