Support custom Content Security Policy | Voters

Support custom Content Security Policy

Johnny Povolny

Expo hosting sets a default Content Security Policy of "frame-ancestors 'self'". This means you cannot load any expo web app in an iframe, which can sometimes be a valid/valuable use case.
Being able to control the level of strictness of the CSP is a standard feature of other hosting services (netlify, vercel, etc). Would it be possible to add this to the hosting config in eas.json or something like that? 
Thanks!

June 5, 2025

Rune Philosof

My bad. I am deploy a static web app. It cannot support nonce
.
And staticwebapp.config.json
 is specific to the hosting provider I am using.
But for other non-static web app uses, being able to set a nonce
 is essential.

Rune Philosof

You are able to set a custom CSP in

staticwebapp.config.json

"globalHeaders": {
    "Content-Security-Policy": "default-src 'self'; script-src 'self' 'unsafe-inline' ...

The headline of this feature request should be

> Support setting

nonce

attribute on script tags

Here is a list of problematic code

Rémy Oudemans

This would be handy for us in some form too!
We're looking to self-host an expo web app.
Adding a CSP when we control the server is easy enough because we can set it in the response headers, but for the CSP to be strict at all we need to be able to use 'strict-dynamic' with a nonce in the script-src.
We would need expo to support a way for a nonce to be added to all the script tags in the html at runtime.
As an example of how this can be done, Next.js have handled this well https://nextjs.org/docs/app/guides/content-security-policy.
Without that we'll have to resort to setting 'unsafe-inline' in the script-src directive to load a 3rd-party script, which is pretty bad in terms of security.