feat: Add nonce to <style type=module>#292
Merged
Merged
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
mohamedmansour
approved these changes
May 9, 2026
KurtCattiSchmidt
added a commit
that referenced
this pull request
Jun 6, 2026
…gation Chromium 145+ enforces script-src for <style type="module"> elements because they affect the module map. PR #292 added the nonce on the initial SSR path but explicitly deferred the SPA partial-navigation case to avoid changing render_partial/render_component_templates signatures (which would cascade into FFI/Node/WASM/CLI bindings). This completes the follow-up on the client side: when registerTemplatesAndStyles re-injects a <style type="module"> from the JSON partial, apply the page's existing nonce (window.__webui.nonce). No server signature change required — the page's CSP already allows this nonce. Without this fix, every SPA navigation that pulls in new component CSS triggers `Executing inline script violates Content Security Policy directive 'script-src ...`'' and the styles never adopt, leaving newly-loaded components unstyled. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://chromium-review.googlesource.com/c/chromium/src/+/7758302 added enforcement for the inline-src script CSP because
<style type=module>impacts the module map, which is a script API. Due to this, users of<style type=module>need to either allow the inline script CSP or add a nonce to<style type=module>.Currently, WebUI was not passing the nonce through to
<style type=module>. This change fixes this behavior by passing the existing nonce to<style type=module>output.The third <style type="module"> emission at crates/webui-handler/src/route_handler.rs:1033 (templateStyles JSON for SPA partial navigation) was intentionally left untouched. Adding nonce there would have changed the public render_partial / render_component_templates signatures and cascaded into FFI/C ABI, .NET, Node, WASM, CLI, the webui crate, and example bindings. This will be done as a follow-up.