Hi Didomi team 👋
We're currently integrating the Didomi React SDK into a project that enforces a strict Content Security Policy (CSP), which requires all inline scripts to include a nonce attribute. However, we noticed that the SDK does not provide a way to set a nonce on the injected <script> tags, which causes CSP violations and blocks the Didomi scripts from executing.
Expected behavior:
There should be a way to pass a nonce value (e.g., via a prop or config option) so that the SDK can include it in the <script> tags it injects.
Actual behavior:
No nonce attribute is added to the injected scripts, and CSP blocks them.
Suggested solution:
Add support for a nonce prop in the React component or configuration object, which would be applied to all dynamically injected <script> elements.
Environment:
Package: @didomi/react
Framework: React
CSP: strict mode with script-src 'nonce-xyz'
Hi Didomi team 👋
We're currently integrating the Didomi React SDK into a project that enforces a strict Content Security Policy (CSP), which requires all inline scripts to include a nonce attribute. However, we noticed that the SDK does not provide a way to set a nonce on the injected <script> tags, which causes CSP violations and blocks the Didomi scripts from executing.
Expected behavior:
There should be a way to pass a nonce value (e.g., via a prop or config option) so that the SDK can include it in the <script> tags it injects.
Actual behavior:
No nonce attribute is added to the injected scripts, and CSP blocks them.
Suggested solution:
Add support for a nonce prop in the React component or configuration object, which would be applied to all dynamically injected <script> elements.
Environment:
Package: @didomi/react
Framework: React
CSP: strict mode with script-src 'nonce-xyz'