Adjust CSP

README.md

@@ -104,7 +104,7 @@ The content_security_policy.rb has to have `:strict_dynamic` for `policy.script_
   policy.style_src :self, :https, :unsafe_inline
 ```
 
-The `config.content_security_policy_nonce_directives = %w[script-src]` can't include `style-src` since we can't add the nonce to dynamically created style tags that our editor creates
+The `config.content_security_policy_nonce_directives = %w[script-src style-src]` can include `style-src` but this _might_ break some styling in some cases
 
 ### Browser support
 

examples/demo/app/views/layouts/application.html.erb

@@ -6,7 +6,7 @@
     <%= csrf_meta_tags %>
     <%= csp_meta_tag %>
 
-    <%= stylesheet_link_tag "application", "data-turbo-track": "reload" %>
+    <%= stylesheet_link_tag "application", "data-turbo-track": "reload", nonce: true %>
     <%= javascript_importmap_tags %>
     <%= load_in_context_editor %>
   </head>

examples/demo/config/initializers/content_security_policy.rb

@@ -18,7 +18,7 @@
 
   # Generate session nonces for permitted importmap and inline scripts
   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-  config.content_security_policy_nonce_directives = %w[script-src]
+  config.content_security_policy_nonce_directives = %w[script-src style-src]
 
   # Report violations without enforcing the policy.
   # config.content_security_policy_report_only = true