Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: Nonce not being added to styles #5506

Open
3 tasks done
AliKdhim87 opened this issue Mar 18, 2024 · 1 comment
Open
3 tasks done

bug: Nonce not being added to styles #5506

AliKdhim87 opened this issue Mar 18, 2024 · 1 comment
Assignees
@tanner-reits
Labels
Awaiting Reply This PR or Issue needs a reply from the original reporter.

Comments

@AliKdhim87
Copy link

Prerequisites

Stencil Version

4.12.6

Current Behavior

I encountered an issue where the nonce attribute is not being added to the <style> elements in the rendered HTML output of a web application built using Next.js 14.1.3 and Stencil Core version 4.12.6. Despite attempting to use the setNonce function provided by StencilJS as described in the documentation, the nonce attribute is not reflected in the final rendered HTML.

Error Message (Observed in Browser):

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-MDk5YzRhNTMtZWIyNi00OTg1LWE5ODMtNWI4NDY0NWI0ZmY2'". Either the 'unsafe-inline' keyword, a hash ('sha256-YUKCaHC6u+Nroo+NYv18Vu9sN88jXs+Baxc8F1bNkyE='), or a nonce ('nonce-...') is required to enable inline execution.

Expected Behavior

The nonce attribute should be added to all <style> elements in the rendered HTML output, ensuring compliance with Content Security Policy (CSP) requirements.

System Info

- Browser: Google Chrome, Mozilla Firefox, Safari, Brave
- Technology Stack:
  - Next.js version: 14.1.3
  - Stencil Core version: 4.12.6

Steps to Reproduce

  1. Implement the setNonce function to dynamically set the nonce attribute on <style> elements.
  2. Verify that the meta tag with the nonce attribute exists in the HTML document.
  3. Ensure that the nonce value is correctly set and available in the runtime environment.
  4. Inspect the rendered HTML output to confirm the presence of the nonce attribute on <style> elements.
  5. Test across different environments, including various browser versions.
  6. Check for any error messages related to CSP violations or nonce handling in the browser console.
  7. Review the documentation and community resources for any known issues or best practices regarding nonce handling.

Code Reproduction URL

https://github.com/AliKdhim87/configure-csp-nextjs-with-stenciljs

Additional Information

Screenshots:
Screenshot 2024-03-18 at 13 01 57
Screenshot 2024-03-18 at 13 03 01
@ionitron-bot ionitron-bot bot added the triage label Mar 18, 2024
@AliKdhim87 AliKdhim87 mentioned this issue Mar 18, 2024
Open
@tanner-reits tanner-reits self-assigned this Mar 18, 2024
@tanner-reits
Copy link
Member

Hey @AliKdhim87!

Thanks for the issue! Do you know if this is a problem without Next.js in the equation? The reproduction feels a bit complicated at the moment, so it would be great if we could strip out some aspects to help isolate the issue!

@tanner-reits tanner-reits added Awaiting Reply This PR or Issue needs a reply from the original reporter. and removed triage labels Mar 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tanner-reits tanner-reits

Labels
Awaiting Reply This PR or Issue needs a reply from the original reporter.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tanner-reits @AliKdhim87