Subresource Integrity (unstable), nonce and CSPΒ #14252
Description
Reproduction
- Go to https://codesandbox.io/p/devbox/lkj4ys
- Click on "Preview:3000" or run
npm run buildandnpm run start - Inspect code (
<script>tags)
System Info
System:
OS: Linux 6.1 Debian GNU/Linux 12 (bookworm) 12 (bookworm)
CPU: (2) x64 AMD EPYC
Memory: 2.33 GB / 4.01 GB
Container: Yes
Shell: Unknown
Binaries:
Node: 20.12.0 - /usr/local/bin/node
Yarn: 1.22.19 - /usr/local/bin/yarn
npm: 10.5.0 - /usr/local/bin/npm
pnpm: 8.15.6 - /usr/local/share/npm-global/bin/pnpm
npmPackages:
@react-router/dev: ^7.8.2 => 7.8.2
@react-router/node: ^7.8.2 => 7.8.2
@react-router/serve: ^7.8.2 => 7.8.2
react-router: ^7.8.2 => 7.8.2
vite: ^7.1.3 => 7.1.3Used Package Manager
npm
Expected Behavior
<script rr-importmap type="importmap"> tag to have a nonce attribute with a value of "123"
Actual Behavior
<script rr-importmap type="importmap"> tag doesn't have a nonce attribute and would be blocked if a respective Content-Security-Policy header (without unsafe-inline) would be used (not used in this demo).
Note: This is not a demonstration of how to use a nonce in React Router. The nonce value should not be hard coded like shown in this demo and should not be exposed to the client.