Skip to content

Document CSP nonce option and update unsafe-inline guidance#1800

Merged
brettdorrans merged 19 commits intomainfrom
PEP-912-update-public-csp-docs
Apr 27, 2026
Merged

Document CSP nonce option and update unsafe-inline guidance#1800
brettdorrans merged 19 commits intomainfrom
PEP-912-update-public-csp-docs

Conversation

@brettdorrans
Copy link
Copy Markdown
Contributor

@brettdorrans brettdorrans commented Apr 7, 2026

Summary

  • Document the new options.nonce prop across all SDK components (CodatLink, CodatConnections, CodatBankFeeds)
  • Update CSP guidance to recommend nonce-based style-src instead of 'unsafe-inline'
  • Add usage example, migration guide, backwards compatibility note, and mount-time behavior details

Test plan

  • Verify npm run build passes
  • Check all internal links resolve (e.g. #csp-nonce anchor)
  • Review rendered markdown for options tables formatting

🤖 Generated with Claude Code

@claude
PEP-912: Document CSP nonce option and update unsafe-inline guidance
a63f8a9 
Add nonce option to SDK option references (Link, Connections, Bank Feeds),
update all 13 CSP guidance blocks to recommend nonce-based style-src over
unsafe-inline, and add a new CSP nonce section with usage example, migration
guide, backwards compatibility note, and mount-time behavior.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 7, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
codat-docs Ready Ready Preview, Comment Apr 27, 2026 11:23am

Request Review

@brettdorrans brettdorrans changed the title PEP-912: Document CSP nonce option and update unsafe-inline guidance Document CSP nonce option and update unsafe-inline guidance Apr 7, 2026
github-actions[bot]
github-actions Bot reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit

vale

docs/auth-flow/optimize/connection-management.md|504 col 65| [Google.Contractions] Use 'aren't' instead of 'are not'.
docs/auth-flow/optimize/connection-management.md|570 col 65| [Google.Contractions] Use 'aren't' instead of 'are not'.
docs/auth-flow/optimize/connection-management.md|603 col 54| [Google.Passive] In general, use active voice instead of passive voice ('is displayed').
docs/auth-flow/optimize/connection-management.md|604 col 92| [Google.Contractions] Use 'aren't' instead of 'are not'.
docs/bank-feeds/bank-feeds-sdk.md|112 col 64| [Google.Contractions] Use 'aren't' instead of 'are not'.

Comment thread docs/auth-flow/_partial-auth-flow-examples.md Outdated
Comment thread docs/auth-flow/_partial-auth-flow-examples.md Outdated
Comment thread docs/auth-flow/_partial-auth-flow-examples.md Outdated
Comment thread docs/auth-flow/_partial-auth-flow-examples.md Outdated
Comment thread docs/auth-flow/_partial-auth-flow-examples.md Outdated
Comment thread docs/auth-flow/customize/sdk-customize-code.md Outdated
Comment thread docs/auth-flow/optimize/connection-management.md Outdated
Comment thread docs/auth-flow/optimize/connection-management.md Outdated
Comment thread docs/auth-flow/optimize/connection-management.md Outdated
Comment thread docs/auth-flow/optimize/connection-management.md Outdated
@claude
Fix vale linting: contractions, active voice, and style
6afa6ac 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
github-actions[bot]
github-actions Bot reviewed Apr 7, 2026
View reviewed changes
Comment thread docs/auth-flow/customize/sdk-customize-code.md Outdated
Comment thread docs/auth-flow/customize/sdk-customize-code.md Outdated
Comment thread docs/auth-flow/optimize/connection-management.md Outdated
@claude
Fix remaining vale issues: active voice in options table, heading cap…
8d855f0 
…italization

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
github-actions[bot]
github-actions Bot reviewed Apr 7, 2026
View reviewed changes
Comment thread docs/auth-flow/customize/sdk-customize-code.md Outdated
@claude
Fix remaining vale issues: parens and passive voice in options table
8ff90ae 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
github-actions[bot]
github-actions Bot reviewed Apr 7, 2026
View reviewed changes
Comment thread docs/auth-flow/customize/sdk-customize-code.md Outdated
Comment thread docs/auth-flow/customize/sdk-customize-code.md Outdated
@claude
Fix heading capitalization and em-dash spacing
d2f686f 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
Fix prettier formatting
28e645e 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@pmckinney-codat
Copy link
Copy Markdown
Collaborator

pmckinney-codat commented Apr 16, 2026

codat-docs/sidebars/auth-flow.js

Lines 7 to 11 in 186baf1

items: [
"auth-flow/customize/customize-link",
"auth-flow/customize/branding",
"auth-flow/customize/sdk-customize-code",
],

This new page needs to be included in the sidebar so that it is visible to navigate to

@brettdorrans
Copy link
Copy Markdown
Contributor Author

brettdorrans commented Apr 17, 2026

codat-docs/sidebars/auth-flow.js

Lines 7 to 11 in 186baf1

items: [
"auth-flow/customize/customize-link",
"auth-flow/customize/branding",
"auth-flow/customize/sdk-customize-code",
],

This new page needs to be included in the sidebar so that it is visible to navigate to

@pmckinney-codat It's unclear which page you refer to? There are no new pages in this PR, I think?

@claude
Address review: refine CSP nonce examples and wording
f1b9cfa 
- Remove stray trailing semicolon on CodatLink JSX example
- Use meta-tag retrieval pattern in bank-feeds and connections
  examples instead of hardcoded nonce strings; move reference
  link into prose rather than code comments
- Restore parenthetical gloss in sourceTypes description
- Use a realistic base64-style nonce value in the usage example

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
github-actions[bot]
github-actions Bot reviewed Apr 22, 2026
View reviewed changes
Comment thread docs/auth-flow/customize/sdk-customize-code.md
Comment thread docs/auth-flow/optimize/connection-management.md Outdated
Comment thread docs/auth-flow/optimize/connection-management.md Outdated
Comment thread docs/bank-feeds/bank-feeds-sdk.md Outdated
Comment thread docs/bank-feeds/bank-feeds-sdk.md Outdated
github-actions[bot]
github-actions Bot reviewed Apr 22, 2026
View reviewed changes
Comment thread docs/bank-feeds/bank-feeds-sdk.md Outdated
@claude
Align nonce placeholder with example value in options snippets
4073a8f 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@brettdorrans brettdorrans marked this pull request as ready for review April 27, 2026 09:48
@pzaichkina
Refine CSP nonce guidance and cleanup content
6d5b9b1 
Updated CSP nonce instructions and removed deprecated content.
github-actions[bot]
github-actions Bot reviewed Apr 27, 2026
View reviewed changes
Comment thread docs/auth-flow/optimize/connection-management.md Outdated
github-actions[bot]
github-actions Bot reviewed Apr 27, 2026
View reviewed changes
Comment thread docs/bank-feeds/bank-feeds-sdk.md
github-actions[bot]
github-actions Bot reviewed Apr 27, 2026
View reviewed changes
Comment thread docs/auth-flow/optimize/connection-management.md
github-actions[bot]
github-actions Bot reviewed Apr 27, 2026
View reviewed changes
Comment thread docs/auth-flow/customize/sdk-customize-code.md
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 27, 2026

Link check results for preview deployment (https://codat-docs-git-PEP-912-update-public-csp-docs-codat.vercel.app):

[]

@brettdorrans brettdorrans enabled auto-merge (squash) April 27, 2026 11:23
@brettdorrans brettdorrans merged commit d7f2c6b into main Apr 27, 2026
6 of 9 checks passed
@brettdorrans brettdorrans deleted the PEP-912-update-public-csp-docs branch April 27, 2026 11:23
@brettdorrans brettdorrans mentioned this pull request Apr 27, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@pzaichkina pzaichkina pzaichkina approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@brettdorrans @pmckinney-codat @pzaichkina