htmx icon indicating copy to clipboard operation
htmx copied to clipboard

Published 20 hours ago verified publisher icon bigskysoftware

Incompatibility with inlineScriptNonce and useTemplateFragments

Open summersz opened this issue 2 years ago • 2 comments

When setting useTemplateFragments to true whilst using inlineScriptNonce, Chrome logs a csp error for any inline scripts returned in the response. Interestingly it does actually execute them after the errors are logged, so the only issue is the console log getting spammed.

No errors are logged in Firefox.

summersz avatar Nov 08 '23 14:11 summersz

I think the stuff you add with templates is not known by HTMX and the nonce will therefore be missing.

Can you check the source code for this?

andryyy avatar Nov 08 '23 15:11 andryyy

The parsed html is inserted before the scripts get processed. On processing a new script element, with the nonce from the inlineScriptNonce setting added, gets inserted and then the old script gets removed. Chrome flags the csp error when inserting the original document fragment but that then gets replaced with an acceptable inline script, which explains why everything still works. Not sure why Chrome flags this with fragments and not elements. As a dirty hack I am adding the nonce to the html string prior to the html parsing.

summersz avatar Nov 08 '23 16:11 summersz