-
-
Notifications
You must be signed in to change notification settings - Fork 470
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hot Reloading ignores __webpack_nonce__ #427
Comments
Sorry for delay, i will look on this in near future |
A workaround to this that seems to work for me is to set the value via a new webpack.DefinePlugin({
__webpack_nonce__: 'window.__CSP_NONCE',
}) This results in all usages in all files being replaced with the reference to the window field, even when hot reloading. This plugin is before |
I had the same problem - first fixed with this solution. |
Is there any updates to this issue bedsides the work around? |
This is not just an issue with hot reloading. I have debugged this and the reason that it doesn't work is that injectStylesIntoStyleTag.js should set the nonce via |
Expected Behavior
When hot-reloading is enabled,
style-loader
should add<style>
elements with anonce
attribute. The value of thenonce
attribute should be the value of__webpack_nonce__
.Actual Behavior
<style>
elements do not contain thenonce
attribute. Styles are not applied. There is a content-security-policy error in the console, such as the following example.Code
I made a repository to demonstrate this issue at
https://github.com/mgreystone/test-style-loader-nonce/tree/45e3402c342036be2a412e4622802497b7c5dfa8
How Do We Reproduce?
Using hot-reload on webpack-dev-server, load a module that both
__webpack_nonce__ = 'secret'
style-loader
Use this on a server that responds a CSP header of `Content-Security-Policy: style-src 'nonce-secret'.
The text was updated successfully, but these errors were encountered: