implement nonce for refresh csp

fastrodev · Aug 18, 2024 · 22213f3 · 22213f3
1 parent b67cafd
commit 22213f3
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/http/server/render.ts b/http/server/render.ts
@@ -111,6 +111,7 @@ es.onmessage = function(e) {
         h("script", {
           src: `/js/refresh.js`,
           async: true,
+          nonce,
         }),
       );
     }
@@ -129,7 +130,7 @@ es.onmessage = function(e) {
       "content-type": "text/html",
       "x-request-id": new Date().getTime().toString(),
       "Content-Security-Policy":
-        `default-src 'self'; script-src 'self' 'nonce-${nonce}'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self'; frame-src 'self'`,
+        `default-src 'self'; script-src 'self' 'nonce-${nonce}' 'strict-dynamic'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self'; frame-src 'self'`,
     });
     const children = typeof p.component == "function"
       ? h(p.component as FunctionComponent, { data, nonce })