From c803f54860522f52aa9719eb5fdd622a7d793b7b Mon Sep 17 00:00:00 2001
From: Varpusparvi <mikko.karkee1@gmail.com>
Date: Tue, 9 Jul 2024 15:51:20 +0200
Subject: [PATCH] Adjust CSP

---
 README.md                                                    | 2 +-
 examples/demo/app/views/layouts/application.html.erb         | 2 +-
 examples/demo/config/initializers/content_security_policy.rb | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index a3d3938..d145914 100644
--- a/README.md
+++ b/README.md
@@ -104,7 +104,7 @@ The content_security_policy.rb has to have `:strict_dynamic` for `policy.script_
   policy.style_src :self, :https, :unsafe_inline
 ```
 
-The `config.content_security_policy_nonce_directives = %w[script-src]` can't include `style-src` since we can't add the nonce to dynamically created style tags that our editor creates
+The `config.content_security_policy_nonce_directives = %w[script-src style-src]` can include `style-src` but this _might_ break some styling in some cases
 
 ### Browser support
 
diff --git a/examples/demo/app/views/layouts/application.html.erb b/examples/demo/app/views/layouts/application.html.erb
index 0681b3c..789180f 100644
--- a/examples/demo/app/views/layouts/application.html.erb
+++ b/examples/demo/app/views/layouts/application.html.erb
@@ -6,7 +6,7 @@
     <%= csrf_meta_tags %>
     <%= csp_meta_tag %>
 
-    <%= stylesheet_link_tag "application", "data-turbo-track": "reload" %>
+    <%= stylesheet_link_tag "application", "data-turbo-track": "reload", nonce: true %>
     <%= javascript_importmap_tags %>
     <%= load_in_context_editor %>
   </head>
diff --git a/examples/demo/config/initializers/content_security_policy.rb b/examples/demo/config/initializers/content_security_policy.rb
index d6dfbc4..60fe450 100644
--- a/examples/demo/config/initializers/content_security_policy.rb
+++ b/examples/demo/config/initializers/content_security_policy.rb
@@ -18,7 +18,7 @@
 
   # Generate session nonces for permitted importmap and inline scripts
   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-  config.content_security_policy_nonce_directives = %w[script-src]
+  config.content_security_policy_nonce_directives = %w[script-src style-src]
 
   # Report violations without enforcing the policy.
   # config.content_security_policy_report_only = true