Web CSP: Support injecting a nonce for a CSP with strict-dynamic
Rémy Oudemans
We're looking to self-host an expo web app.
Adding a CSP when we control the server is easy enough because we can set it in the response headers, but for the CSP to be strict at all we need to be able to use 'strict-dynamic' with a nonce in the script-src.
We would need expo to support a way for a nonce to be added to all the script tags in the html at runtime.
As an example of how this can be done, Next.js have handled this well https://nextjs.org/docs/app/guides/content-security-policy.
Without that we'll have to resort to setting 'unsafe-inline' in the script-src directive to load a 3rd-party script, which is pretty bad in terms of security.
Since expo already provides
useServerDocumentContext
it could just be a case of documenting a clever way of using that to set the nonce from a custom server.Rémy Oudemans
This relates to but isn't the same as https://expo.canny.io/feature-requests/p/support-custom-content-security-policy