Only unsafe inline?

tvandort · tvandort · commit 60127c9a4723 · 2025-12-16T10:29:59.000-05:00
diff --git a/clients/privacy-center/__tests__/server-utils/__snapshots__/recommendedSecurityHeaders.test.ts.snap b/clients/privacy-center/__tests__/server-utils/__snapshots__/recommendedSecurityHeaders.test.ts.snap
@@ -1,7 +1,7 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`recommended security headers templates and flattens privacy center csp header when isDev is false 1`] = `"default-src 'self'; script-src 'self' 'nonce-random-nonce-string' 'strict-dynamic' ; style-src 'self' 'nonce-random-nonce-string' 'unsafe-inline'; connect-src 'self' fides.example.com geolocation.example.com; img-src 'self' blob: data:; font-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests;"`;
+exports[`recommended security headers templates and flattens privacy center csp header when isDev is false 1`] = `"default-src 'self'; script-src 'self' 'nonce-random-nonce-string' 'strict-dynamic' ; style-src 'self' 'unsafe-inline'; connect-src 'self' fides.example.com geolocation.example.com; img-src 'self' blob: data:; font-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests;"`;
 
-exports[`recommended security headers templates and flattens privacy center csp header when isDev is true 1`] = `"default-src 'self'; script-src 'self' 'nonce-random-nonce-string' 'strict-dynamic' 'unsafe-eval'; style-src 'self' 'nonce-random-nonce-string' 'unsafe-inline'; connect-src 'self' fides.example.com geolocation.example.com; img-src 'self' blob: data:; font-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests;"`;
+exports[`recommended security headers templates and flattens privacy center csp header when isDev is true 1`] = `"default-src 'self'; script-src 'self' 'nonce-random-nonce-string' 'strict-dynamic' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' fides.example.com geolocation.example.com; img-src 'self' blob: data:; font-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests;"`;
 
 exports[`recommended security headers templates and flattens the static csp header 1`] = `"default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self' fides.example.com geolocation.example.com; img-src 'self' blob: data:; font-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests;"`;
diff --git a/clients/privacy-center/app/server-utils/recommendedSecurityHeaders.ts b/clients/privacy-center/app/server-utils/recommendedSecurityHeaders.ts
@@ -50,7 +50,7 @@ export const privacyCenterPagesCspHeader = (args: {
   flattenHeader(`
     default-src 'self';
     script-src 'self' 'nonce-${args.nonce}' 'strict-dynamic' ${args.isDev ? "'unsafe-eval'" : ""};
-    style-src 'self' 'nonce-${args.nonce}' 'unsafe-inline';
+    style-src 'self' 'unsafe-inline';
     connect-src 'self' ${args.fidesApiHost} ${args.geolocationApiHost};
     img-src 'self' blob: data:;
     font-src 'self';
