diff --git a/.changeset/thin-streets-rule.md b/.changeset/thin-streets-rule.md new file mode 100644 index 0000000000..adbd2a115c --- /dev/null +++ b/.changeset/thin-streets-rule.md @@ -0,0 +1,5 @@ +--- +"@lynx-js/web-core": patch +--- + +fix csp issue for mts realm diff --git a/packages/web-platform/web-core/src/uiThread/createRenderAllOnUI.ts b/packages/web-platform/web-core/src/uiThread/createRenderAllOnUI.ts index 7ca80147d7..08dbc39061 100644 --- a/packages/web-platform/web-core/src/uiThread/createRenderAllOnUI.ts +++ b/packages/web-platform/web-core/src/uiThread/createRenderAllOnUI.ts @@ -25,7 +25,8 @@ import type { StartUIThreadCallbacks } from './startUIThread.js'; const existingScript = document.querySelector('script[nonce]') as | HTMLScriptElement | null; -const nonce = existingScript?.nonce || existingScript?.getAttribute('nonce'); +const nonce = existingScript?.nonce || existingScript?.getAttribute('nonce') + || ''; const { prepareMainThreadAPIs, @@ -57,7 +58,7 @@ async function createIFrameRealm(parent: Node): Promise { }); iframe.style.display = 'none'; iframe.srcdoc = - ''; + ``; iframe.sandbox = 'allow-same-origin allow-scripts'; // Restrict capabilities for security iframe.loading = 'eager'; parent.appendChild(iframe); @@ -68,7 +69,7 @@ async function createIFrameRealm(parent: Node): Promise { script.fetchPriority = 'high'; script.defer = true; script.async = false; - script.nonce = nonce || ''; + script.nonce = nonce; iframe.contentDocument!.head.appendChild(script); return new Promise(async (resolve, reject) => { script.onload = () => { @@ -90,6 +91,7 @@ async function createIFrameRealm(parent: Node): Promise { xhr.send(null); if (xhr.status === 200) { const script = iframe.contentDocument!.createElement('script'); + script.nonce = nonce; script.textContent = xhr.responseText; // @ts-expect-error iframeWindow.module = { exports: undefined };