Ability to pass nonce as a prop to the underlying script.
Closed this issue ยท 1 comments
abereghici commented
Discussed in #28
Originally posted by Ekthelion January 30, 2024
If the app is using nonce in CSP agains the XSS attacks, script is being ignored/removed and a CSP error is being thrown.
To solve this, the script with the clientThemeCode schould include the nonce attribute passed down from the root.tsx.
//root.tsx
<PreventFlashOnWrongTheme nonce={nonce} ssrTheme={Boolean(ssrTheme)} />
//theme-provider
function PreventFlashOnWrongTheme({ ssrTheme, nonce }) {
const [theme] = useTheme();
return ((0, jsx_runtime_1.jsxs)(jsx_runtime_1.Fragment, { children: [(0, jsx_runtime_1.jsx)("meta", { name: "color-scheme", content: theme === 'light' ? 'light dark' : 'dark light' }), ssrTheme ? null : ((0, jsx_runtime_1.jsx)("script", {
...
nonce: nonce,
dangerouslySetInnerHTML: { __html: clientThemeCode } }))] }));
}
```</div>
github-actions commented
๐ This issue has been resolved in version 1.3.1 ๐
The release is available on:
Your semantic-release bot ๐ฆ๐