feat: write cspNonce to style tags (#16419)

thebanjomatic · web-flow · commit 8e54bbd74d86 · 2024-04-18T10:54:39.000Z
diff --git a/docs/guide/features.md b/docs/guide/features.md
@@ -699,7 +699,7 @@ To deploy CSP, certain directives or configs must be set due to Vite's internals
 
 ### [`'nonce-{RANDOM}'`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources#nonce-base64-value)
 
-When [`html.cspNonce`](/config/shared-options#html-cspnonce) is set, Vite adds a nonce attribute with the specified value to the output script tag and link tag for stylesheets. Note that Vite will not add a nonce attribute to other tags, such as `<style>`. Additionally, when this option is set, Vite will inject a meta tag (`<meta property="csp-nonce" nonce="PLACEHOLDER" />`).
+When [`html.cspNonce`](/config/shared-options#html-cspnonce) is set, Vite adds a nonce attribute with the specified value to any `<script>` and `<style>` tags, as well as `<link>` tags for stylesheets and module preloading. Additionally, when this option is set, Vite will inject a meta tag (`<meta property="csp-nonce" nonce="PLACEHOLDER" />`).
 
 The nonce value of a meta tag with `property="csp-nonce"` will be used by Vite whenever necessary during both dev and after build.
 
diff --git a/packages/vite/src/node/plugins/html.ts b/packages/vite/src/node/plugins/html.ts
@@ -1184,6 +1184,7 @@ export function injectNonceAttributeTagHook(
 
       if (
         nodeName === 'script' ||
+        nodeName === 'style' ||
         (nodeName === 'link' &&
           attrs.some(
             (attr) =>
diff --git a/playground/csp/index.html b/playground/csp/index.html
@@ -1,5 +1,5 @@
 <link rel="stylesheet" href="./linked.css" />
-<style nonce="#$NONCE$#">
+<style>
   .inline {
     color: green;
   }

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`<link rel="stylesheet" href="./linked.css" />`
`2`		`-<style nonce="#$NONCE$#">`
	`2`	`+<style>`
`3`	`3`	`.inline {`
`4`	`4`	`color: green;`
`5`	`5`	`}`