Getting cors error of script tag browser-logger-active

[MarkusJLechner]

Laravel Package Version

not relevant

Laravel Version

not relevant

PHP Version

not relevant

System Info

not relevant

Description

See laravel/boost/src/Services/BrowserLogger.php

Specifically this part:

<script id="browser-logger-active">

The application nonce should be configurable so it can be passed to the script tag.

One possible approach: allow passing it as a parameter to getScript in laravel/boost/src/Middleware/InjectBoost.php, with InjectBoost retrieving it from config if available.

Steps To Reproduce

• Setting strict cors header with nonce
• Error appears Refused to execute inline script because it violates the following Content Security Policy directive: "script-src-elem 'nonce-123123xyz=' ...

[pushpak1300]

For your testing, you can disable Boost browser logs by setting the following in boost.php:

'browser_logs_watcher' => false,

or by setting the environment variable:

BOOST_BROWSER_LOGS_WATCHER=false

I’ll let @ashleyhindle decide whether we want to officially support configurable script attributes like nonce in Boost, or if this should remain out of scope for now.