Skip to content

Fix CSP nonce support to resolve browser console warnings#789

Merged
tjementum merged 1 commit intomainfrom
pp-621-fix-csp-nonce-support-to-resolve-browser-console-warnings
Nov 17, 2025
Merged

Fix CSP nonce support to resolve browser console warnings#789
tjementum merged 1 commit intomainfrom
pp-621-fix-csp-nonce-support-to-resolve-browser-console-warnings

Conversation

@tjementum
Copy link
Copy Markdown
Member

@tjementum tjementum commented Nov 17, 2025

Summary & Motivation

Fix browser console warnings about Content Security Policy violations for dynamically created style elements by adding nonce support.

The application already had CSP headers blocking malicious scripts and styles. However, dynamically created style elements (used by UI components for positioning and styling) triggered CSP violations in the browser console because they lacked nonce attributes. This change generates unique nonces per request and configures the frontend to automatically apply them to legitimate dynamic styles.

  • Generate cryptographically random nonce per request using RandomNumberGenerator
  • Add nonce directives to CSP headers for script-src, script-src-elem, style-src, and style-src-elem
  • Inject nonce into HTML via meta tag for client-side access
  • Configure Rsbuild security nonce for webpack bundle loading
  • Intercept document.createElement to automatically add nonce attribute to dynamically created style elements
  • Add e2e test validating CSP blocks malicious inline scripts and styles

Downstream projects

  1. Add CSP nonce configuration to your-self-contained-system/WebApp/rsbuild.config.ts:

     export default defineConfig({
+  security: {
+    nonce: "{{cspNonce}}"
+  },
   tools: {

  2. Add CSP nonce meta tag and interception script to your-self-contained-system/WebApp/public/index.html:

    +    <meta name="csp-nonce" content="%CSP_NONCE%" />
     <title>Your Application Title</title>
+    <script nonce="{{cspNonce}}">
+      window.__webpack_nonce__=document.querySelector('meta[name="csp-nonce"]').content;
+      const o=document.createElement;
+      document.createElement=t=>{const e=o.call(document,t);return t.toLowerCase()==='style'&&e.setAttribute('nonce',window.__webpack_nonce__),e};
+    </script>

Checklist

  • I have added tests, or done manual regression tests
  • I have updated the documentation, if necessary

@tjementum tjementum self-assigned this Nov 17, 2025
@tjementum tjementum added the Bug Something isn't working label Nov 17, 2025
@linear
Copy link
Copy Markdown

linear bot commented Nov 17, 2025

PP-621 Fix CSP nonce support to resolve browser console warnings

@tjementum tjementum moved this to ✅ Done in Kanban board Nov 17, 2025
@tjementum tjementum moved this from ✅ Done to 🏗 In Progress in Kanban board Nov 17, 2025
@tjementum tjementum force-pushed the pp-621-fix-csp-nonce-support-to-resolve-browser-console-warnings branch from e7b1b38 to fb6a4ba Compare November 17, 2025 20:30
@tjementum tjementum force-pushed the pp-621-fix-csp-nonce-support-to-resolve-browser-console-warnings branch from fb6a4ba to 4413b07 Compare November 17, 2025 20:37
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Nov 17, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
55.6% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@tjementum tjementum merged commit d1bc1ca into main Nov 17, 2025
26 checks passed
@tjementum tjementum deleted the pp-621-fix-csp-nonce-support-to-resolve-browser-console-warnings branch November 17, 2025 20:43
@github-project-automation github-project-automation bot moved this from 🏗 In Progress to ✅ Done in Kanban board Nov 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@tjementum tjementum

Labels

Bug Something isn't working

Projects

Kanban board
Status: ✅ Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tjementum