fix(csp): add nonce to all inline style and script tags

Register CSP nonce with Vite::useCspNonce() so Livewire and Flux inherit it automatically. Add @cspnonce directive to all inline <style> and <script> blocks in layout templates to satisfy strict style-src/script-src CSP in production. Co-Authored-By: Virgil <virgil@lethean.io>
2026-02-13 19:45:09 +00:00 · 2026-02-13 19:45:09 +00:00 · 4f09bfedd2
commit 4f09bfedd2
parent feb47c8ea5
4 changed files with 16 additions and 7 deletions
--- a/src/Core/Front/Admin/Blade/layouts/app.blade.php
+++ b/src/Core/Front/Admin/Blade/layouts/app.blade.php
@ -18,12 +18,12 @@
    <title>{{ $title }}</title>
    {{-- Critical CSS: Prevents white flash during page load/navigation --}}
-    <style>
+    <style @cspnonce>
        html { background-color: #f3f4f6; }
        html.dark { background-color: #111827; }
    </style>
-    <script>
+    <script @cspnonce>
        (function () {
            var darkMode = localStorage.getItem('dark-mode');
            if (darkMode === 'true') {
@ -56,7 +56,7 @@
    x-init="$watch('sidebarExpanded', value => localStorage.setItem('sidebar-expanded', value))"
 >
-<script>
+<script @cspnonce>
    if (localStorage.getItem('sidebar-expanded') == 'true') {
        document.querySelector('body').classList.add('sidebar-expanded');
    } else {
@ -91,7 +91,7 @@
 {{ $scripts ?? '' }}
-<script>
+<script @cspnonce>
    // Light/Dark mode toggle (guarded for Livewire navigation)
    (function() {
        if (window.__lightSwitchInitialized) return;
--- a/src/Core/Front/Components/View/Blade/layouts/partials/fonts.blade.php
+++ b/src/Core/Front/Components/View/Blade/layouts/partials/fonts.blade.php
@ -1,5 +1,5 @@
 {{-- Self-hosted Inter variable font --}}
-<style>
+<style @cspnonce>
    @font-face {
        font-family: 'Inter';
        src: url('/fonts/InterVariable.woff2') format('woff2-variations');
--- a/src/Core/Front/Web/Blade/layouts/app.blade.php
+++ b/src/Core/Front/Web/Blade/layouts/app.blade.php
@ -16,7 +16,7 @@
    <title>{{ $title }}</title>
    {{-- Critical CSS: Prevents white flash during page load/navigation --}}
-    <style>
+    <style @cspnonce>
        html { background-color: #ffffff; }
        html.dark { background-color: #111827; }
    </style>
--- a/src/Core/Headers/CspNonceService.php
+++ b/src/Core/Headers/CspNonceService.php
@ -11,6 +11,8 @@ declare(strict_types=1);
 namespace Core\Headers;
 use Illuminate\Support\Facades\Vite;
 /**
 * Service for generating and managing CSP nonces.
 *
@ -84,10 +86,17 @@ class CspNonceService
    /**
     * Generate a cryptographically secure nonce.
     *
     * Also registers it with Vite so Livewire and Vite-generated tags
     * automatically include the nonce attribute.
     */
    protected function generateNonce(): string
    {
-        return base64_encode(random_bytes($this->nonceLength));
+        $nonce = base64_encode(random_bytes($this->nonceLength));
        Vite::useCspNonce($nonce);
        return $nonce;
    }
    /**