From e087f30c6a45ff445d1bb82054e778577cc6aa51 Mon Sep 17 00:00:00 2001
From: Steven Le <stevenle08@gmail.com>
Date: Thu, 14 Mar 2024 08:18:03 -0700
Subject: [PATCH] fix: update csp default handling

---
 packages/root/src/render/render.tsx | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/packages/root/src/render/render.tsx b/packages/root/src/render/render.tsx
index da2e56b8..067d5ed3 100644
--- a/packages/root/src/render/render.tsx
+++ b/packages/root/src/render/render.tsx
@@ -533,11 +533,18 @@ export class Renderer {
     const securityConfig: Partial<RootSecurityConfig> = {};
 
     if (isTrueOrUndefined(userConfig.contentSecurityPolicy)) {
+      // CSP default values from:
+      // https://csp.withgoogle.com/docs/strict-csp.html
       securityConfig.contentSecurityPolicy = {
         directives: {
           'base-uri': ["'none'"],
           'object-src': ["'none'"],
-          'script-src': ["'self'"],
+          // NOTE: nonce is automatically added to this list.
+          'script-src': [
+            "'unsafe-inline'",
+            "'unsafe-eval'",
+            "'strict-dynamic' https: http:",
+          ],
         },
         reportOnly: true,
       };
@@ -580,17 +587,8 @@ export class Renderer {
     if (typeof contentSecurityPolicy === 'object') {
       const directives = contentSecurityPolicy.directives || {};
       if (options.nonce) {
-        // CSP default values from:
-        // https://csp.withgoogle.com/docs/strict-csp.html
-        if (!directives['object-src']) {
-          directives['object-src'] = ["'none'"];
-        }
-        if (!directives['base-uri']) {
-          directives['base-uri'] = ["'none'"];
-        }
         if (!directives['script-src']) {
           directives['script-src'] = [
-            "'self'",
             "'unsafe-inline'",
             "'unsafe-eval'",
             "'strict-dynamic' https: http:",