From a99843032f26874b061ba1a08e86e59d3798d9c1 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 25 Jun 2026 20:18:59 -0400 Subject: [PATCH] fix: use unsafe-inline instead of nonce in dev style-src (nonce makes unsafe-inline ignored) --- src/lib/security/csp.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/security/csp.ts b/src/lib/security/csp.ts index 00acc9e..7ea0b27 100644 --- a/src/lib/security/csp.ts +++ b/src/lib/security/csp.ts @@ -9,7 +9,7 @@ export function buildContentSecurityPolicy(nonce: string, development: boolean): const directives = [ "default-src 'self'", `script-src ${scriptSources.join(' ')}`, - `style-src 'self' 'nonce-${nonce}'${development ? " 'unsafe-inline'" : ''}`, + `style-src 'self'${development ? " 'unsafe-inline'" : ` 'nonce-${nonce}'`}`, "img-src 'self' data: blob:", "font-src 'self' data:", `connect-src 'self'${development ? ' ws: wss:' : ''}`,