Getting cors error of script tag browser-logger-active

Question

Getting cors error of script tag browser-logger-active

Closed this issue 2 months ago · 1 comments

MarkusJLechner commented 2 months ago

Laravel Package Version

not relevant

Laravel Version

not relevant

PHP Version

not relevant

System Info

not relevant

Description

See laravel/boost/src/Services/BrowserLogger.php

Specifically this part:

<script id="browser-logger-active">

The application nonce should be configurable so it can be passed to the script tag.

One possible approach: allow passing it as a parameter to getScript in laravel/boost/src/Middleware/InjectBoost.php, with InjectBoost retrieving it from config if available.

Steps To Reproduce

Setting strict cors header with nonce
Error appears Refused to execute inline script because it violates the following Content Security Policy directive: "script-src-elem 'nonce-123123xyz=' ...

Answer 1 · 2025-09-10T10:37:51.000Z

For your testing, you can disable Boost browser logs by setting the following in boost.php:

'browser_logs_watcher' => false,

or by setting the environment variable:

BOOST_BROWSER_LOGS_WATCHER=false

I’ll let @ashleyhindle decide whether we want to officially support configurable script attributes like nonce in Boost, or if this should remain out of scope for now.