From 7d80e200d9c9085760a9ccd3212eb847cfd8714b Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Sat, 30 Dec 2023 00:12:38 +0100
Subject: [PATCH 01/20] add nonce to script-src-elem csp directive if defined

---
 packages/kit/src/runtime/server/page/csp.js | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/packages/kit/src/runtime/server/page/csp.js b/packages/kit/src/runtime/server/page/csp.js
index a1a530d9d62e..4384506823ca 100644
--- a/packages/kit/src/runtime/server/page/csp.js
+++ b/packages/kit/src/runtime/server/page/csp.js
@@ -40,6 +40,9 @@ class BaseProvider {
 	/** @type {import('types').Csp.Source[]} */
 	#script_src;
 
+	/** @type {import('types').Csp.Source[]} */
+	#script_src_elem;
+
 	/** @type {import('types').Csp.Source[]} */
 	#style_src;
 
@@ -79,6 +82,7 @@ class BaseProvider {
 		}
 
 		this.#script_src = [];
+		this.#script_src_elem = [];
 		this.#style_src = [];
 
 		const effective_script_src = d['script-src'] || d['default-src'];
@@ -103,8 +107,13 @@ class BaseProvider {
 		if (this.#script_needs_csp) {
 			if (this.#use_hashes) {
 				this.#script_src.push(`sha256-${sha256(content)}`);
-			} else if (this.#script_src.length === 0) {
-				this.#script_src.push(`nonce-${this.#nonce}`);
+			} else {
+				if (this.#script_src.length === 0) {
+					this.#script_src.push(`nonce-${this.#nonce}`);
+				}
+				if (this.#script_src_elem.length === 0) {
+					this.#script_src_elem.push(`nonce-${this.#nonce}`);
+				}
 			}
 		}
 	}
@@ -146,6 +155,13 @@ class BaseProvider {
 			];
 		}
 
+		if (this.#script_src_elem.length > 0) {
+			directives['script-src-elem'] = [
+				...(directives['script-src-elem'] || []),
+				...this.#script_src_elem
+			];
+		}
+
 		for (const key in directives) {
 			if (is_meta && (key === 'frame-ancestors' || key === 'report-uri' || key === 'sandbox')) {
 				// these values cannot be used with a <meta> tag

From c4cf0efb681e471dd5e688552ae5f1558520cd3e Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Sat, 30 Dec 2023 00:19:44 +0100
Subject: [PATCH 02/20] added changeset

---
 .changeset/giant-years-drum.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/giant-years-drum.md

diff --git a/.changeset/giant-years-drum.md b/.changeset/giant-years-drum.md
new file mode 100644
index 000000000000..b1f0b9fbed56
--- /dev/null
+++ b/.changeset/giant-years-drum.md
@@ -0,0 +1,5 @@
+---
+"@sveltejs/kit": patch
+---
+
+nonce is automatically added if script-src-elem is defined in csp directives config

From b168c24d59489332e34ab6bfe00bfe7cf765acb9 Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Sat, 30 Dec 2023 00:40:52 +0100
Subject: [PATCH 03/20] also handle hashes and style-src-attr and
 style-src-elem

---
 packages/kit/src/runtime/server/page/csp.js | 92 +++++++++++++++++----
 1 file changed, 76 insertions(+), 16 deletions(-)

diff --git a/packages/kit/src/runtime/server/page/csp.js b/packages/kit/src/runtime/server/page/csp.js
index 4384506823ca..50ef96bcf517 100644
--- a/packages/kit/src/runtime/server/page/csp.js
+++ b/packages/kit/src/runtime/server/page/csp.js
@@ -46,6 +46,12 @@ class BaseProvider {
 	/** @type {import('types').Csp.Source[]} */
 	#style_src;
 
+	/** @type {import('types').Csp.Source[]} */
+	#style_src_attr;
+
+	/** @type {import('types').Csp.Source[]} */
+	#style_src_elem;
+
 	/** @type {string} */
 	#nonce;
 
@@ -60,6 +66,18 @@ class BaseProvider {
 
 		const d = this.#directives;
 
+		this.#script_src = [];
+		this.#script_src_elem = [];
+		this.#style_src = [];
+		this.#style_src_attr = [];
+		this.#style_src_elem = [];
+
+		const effective_script_src = d['script-src'] || d['default-src'];
+		const script_src_elem = d['script-src-elem'];
+		const effective_style_src = d['style-src'] || d['default-src'];
+		const style_src_elem = d['style-src-elem'];
+		const style_src_attr = d['style-src-attr'];
+
 		if (__SVELTEKIT_DEV__) {
 			// remove strict-dynamic in dev...
 			// TODO reinstate this if we can figure out how to make strict-dynamic work
@@ -73,29 +91,34 @@ class BaseProvider {
 			// 	if (d['script-src'].length === 0) delete d['script-src'];
 			// }
 
-			const effective_style_src = d['style-src'] || d['default-src'];
-
 			// ...and add unsafe-inline so we can inject <style> elements
 			if (effective_style_src && !effective_style_src.includes('unsafe-inline')) {
 				d['style-src'] = [...effective_style_src, 'unsafe-inline'];
 			}
-		}
 
-		this.#script_src = [];
-		this.#script_src_elem = [];
-		this.#style_src = [];
+			if (style_src_attr && !style_src_attr.includes('unsafe-inline')) {
+				d['style-src-elem'] = [...style_src_attr, 'unsafe-inline'];
+			}
 
-		const effective_script_src = d['script-src'] || d['default-src'];
-		const effective_style_src = d['style-src'] || d['default-src'];
+			if (style_src_elem && !style_src_elem.includes('unsafe-inline')) {
+				d['style-src-elem'] = [...style_src_elem, 'unsafe-inline'];
+			}
+		}
 
 		this.#script_needs_csp =
-			!!effective_script_src &&
-			effective_script_src.filter((value) => value !== 'unsafe-inline').length > 0;
+			(!!effective_script_src &&
+				effective_script_src.filter((value) => value !== 'unsafe-inline').length > 0) ||
+			(!!script_src_elem &&
+				script_src_elem.filter((value) => value !== 'unsafe-inline').length > 0);
 
 		this.#style_needs_csp =
 			!__SVELTEKIT_DEV__ &&
-			!!effective_style_src &&
-			effective_style_src.filter((value) => value !== 'unsafe-inline').length > 0;
+			((!!effective_style_src &&
+				effective_style_src.filter((value) => value !== 'unsafe-inline').length > 0) ||
+				(!!style_src_attr &&
+					style_src_attr.filter((value) => value !== 'unsafe-inline').length > 0) ||
+				(!!style_src_elem &&
+					style_src_elem.filter((value) => value !== 'unsafe-inline').length > 0));
 
 		this.script_needs_nonce = this.#script_needs_csp && !this.#use_hashes;
 		this.style_needs_nonce = this.#style_needs_csp && !this.#use_hashes;
@@ -106,7 +129,13 @@ class BaseProvider {
 	add_script(content) {
 		if (this.#script_needs_csp) {
 			if (this.#use_hashes) {
-				this.#script_src.push(`sha256-${sha256(content)}`);
+				const hash = `sha256-${sha256(content)}`;
+
+				this.#script_src.push(`sha256-${hash}`);
+
+				if (this.#script_src_elem.length === 0) {
+					this.#script_src_elem.push(`sha256-${hash}`);
+				}
 			} else {
 				if (this.#script_src.length === 0) {
 					this.#script_src.push(`nonce-${this.#nonce}`);
@@ -122,9 +151,26 @@ class BaseProvider {
 	add_style(content) {
 		if (this.#style_needs_csp) {
 			if (this.#use_hashes) {
-				this.#style_src.push(`sha256-${sha256(content)}`);
-			} else if (this.#style_src.length === 0) {
-				this.#style_src.push(`nonce-${this.#nonce}`);
+				const hash = `sha256-${sha256(content)}`;
+
+				this.#style_src.push(`sha256-${hash}`);
+
+				if (this.#style_src_attr.length === 0) {
+					this.#style_src_attr.push(`sha256-${hash}`);
+				}
+				if (this.#style_src_elem.length === 0) {
+					this.#style_src_elem.push(`sha256-${hash}`);
+				}
+			} else {
+				if (this.#style_src.length === 0) {
+					this.#style_src.push(`nonce-${this.#nonce}`);
+				}
+				if (this.#style_src_attr.length === 0) {
+					this.#style_src_attr.push(`nonce-${this.#nonce}`);
+				}
+				if (this.#style_src_elem.length === 0) {
+					this.#style_src_elem.push(`nonce-${this.#nonce}`);
+				}
 			}
 		}
 	}
@@ -148,6 +194,20 @@ class BaseProvider {
 			];
 		}
 
+		if (this.#style_src_attr.length > 0) {
+			directives['style-src-attr'] = [
+				...(directives['style-src-attr'] || []),
+				...this.#style_src_attr
+			];
+		}
+
+		if (this.#style_src_elem.length > 0) {
+			directives['style-src-elem'] = [
+				...(directives['style-src-elem'] || []),
+				...this.#style_src_elem
+			];
+		}
+
 		if (this.#script_src.length > 0) {
 			directives['script-src'] = [
 				...(directives['script-src'] || directives['default-src'] || []),

From 72156a0f836704a44ea5b79da4d9648684ef61a8 Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Sat, 30 Dec 2023 00:43:09 +0100
Subject: [PATCH 04/20] changed order of variable declaration

---
 packages/kit/src/runtime/server/page/csp.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/kit/src/runtime/server/page/csp.js b/packages/kit/src/runtime/server/page/csp.js
index 50ef96bcf517..fc28ddab0875 100644
--- a/packages/kit/src/runtime/server/page/csp.js
+++ b/packages/kit/src/runtime/server/page/csp.js
@@ -75,8 +75,8 @@ class BaseProvider {
 		const effective_script_src = d['script-src'] || d['default-src'];
 		const script_src_elem = d['script-src-elem'];
 		const effective_style_src = d['style-src'] || d['default-src'];
-		const style_src_elem = d['style-src-elem'];
 		const style_src_attr = d['style-src-attr'];
+		const style_src_elem = d['style-src-elem'];
 
 		if (__SVELTEKIT_DEV__) {
 			// remove strict-dynamic in dev...

From 12855e7a99f69fa0f20018ccb41a5b80a27158e8 Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Sat, 30 Dec 2023 00:43:49 +0100
Subject: [PATCH 05/20] fixed typo

---
 packages/kit/src/runtime/server/page/csp.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/kit/src/runtime/server/page/csp.js b/packages/kit/src/runtime/server/page/csp.js
index fc28ddab0875..38341fdeb0c4 100644
--- a/packages/kit/src/runtime/server/page/csp.js
+++ b/packages/kit/src/runtime/server/page/csp.js
@@ -97,7 +97,7 @@ class BaseProvider {
 			}
 
 			if (style_src_attr && !style_src_attr.includes('unsafe-inline')) {
-				d['style-src-elem'] = [...style_src_attr, 'unsafe-inline'];
+				d['style-src-attr'] = [...style_src_attr, 'unsafe-inline'];
 			}
 
 			if (style_src_elem && !style_src_elem.includes('unsafe-inline')) {

From 403ab860c031ee530499d19e42e2d474610ff208 Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Sat, 30 Dec 2023 00:47:36 +0100
Subject: [PATCH 06/20] updated changeset

---
 .changeset/giant-years-drum.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.changeset/giant-years-drum.md b/.changeset/giant-years-drum.md
index b1f0b9fbed56..cd688d3c8aa2 100644
--- a/.changeset/giant-years-drum.md
+++ b/.changeset/giant-years-drum.md
@@ -2,4 +2,4 @@
 "@sveltejs/kit": patch
 ---
 
-nonce is automatically added if script-src-elem is defined in csp directives config
+nonce or hash is automatically added to "script-src-elem", "style-src-attr" and "style-src-elem" if defined in csp directives config

From e1e0795fbb6c01bed54ff662216386882ee889fb Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Sat, 30 Dec 2023 00:52:21 +0100
Subject: [PATCH 07/20] fix bug and update test

---
 packages/kit/src/runtime/server/page/csp.js      | 4 ++--
 packages/kit/src/runtime/server/page/csp.spec.js | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/packages/kit/src/runtime/server/page/csp.js b/packages/kit/src/runtime/server/page/csp.js
index 38341fdeb0c4..1a7aa2edae17 100644
--- a/packages/kit/src/runtime/server/page/csp.js
+++ b/packages/kit/src/runtime/server/page/csp.js
@@ -129,7 +129,7 @@ class BaseProvider {
 	add_script(content) {
 		if (this.#script_needs_csp) {
 			if (this.#use_hashes) {
-				const hash = `sha256-${sha256(content)}`;
+				const hash = sha256(content)
 
 				this.#script_src.push(`sha256-${hash}`);
 
@@ -151,7 +151,7 @@ class BaseProvider {
 	add_style(content) {
 		if (this.#style_needs_csp) {
 			if (this.#use_hashes) {
-				const hash = `sha256-${sha256(content)}`;
+				const hash = sha256(content);
 
 				this.#style_src.push(`sha256-${hash}`);
 
diff --git a/packages/kit/src/runtime/server/page/csp.spec.js b/packages/kit/src/runtime/server/page/csp.spec.js
index 66ea28085d2c..1c6d3ead0d1b 100644
--- a/packages/kit/src/runtime/server/page/csp.spec.js
+++ b/packages/kit/src/runtime/server/page/csp.spec.js
@@ -235,12 +235,12 @@ test('uses hashes when prerendering', () => {
 
 	assert.equal(
 		csp.csp_provider.get_header(),
-		"script-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='"
+		"script-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='; script-src-elem 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='"
 	);
 
 	assert.equal(
 		csp.report_only_provider.get_header(),
-		"script-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='; report-uri /"
+		"script-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='; script-src-elem 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='; report-uri /"
 	);
 });
 

From a6d84193bdd10b812f26d8fc6fe741e0ec0083df Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Sat, 30 Dec 2023 00:54:51 +0100
Subject: [PATCH 08/20] update test

---
 packages/kit/src/runtime/server/page/csp.spec.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/kit/src/runtime/server/page/csp.spec.js b/packages/kit/src/runtime/server/page/csp.spec.js
index 1c6d3ead0d1b..21d4bc8ac80d 100644
--- a/packages/kit/src/runtime/server/page/csp.spec.js
+++ b/packages/kit/src/runtime/server/page/csp.spec.js
@@ -240,7 +240,7 @@ test('uses hashes when prerendering', () => {
 
 	assert.equal(
 		csp.report_only_provider.get_header(),
-		"script-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='; script-src-elem 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='; report-uri /"
+		"script-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='; report-uri /; script-src-elem 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='"
 	);
 });
 

From aabaee2359b25036f2a7fe35c4b57d861f0da3c8 Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Sat, 30 Dec 2023 01:32:51 +0100
Subject: [PATCH 09/20] write better tests and fix bugs

---
 packages/kit/src/runtime/server/page/csp.js   | 18 +++--
 .../kit/src/runtime/server/page/csp.spec.js   | 76 +++++++++++++++++--
 2 files changed, 82 insertions(+), 12 deletions(-)

diff --git a/packages/kit/src/runtime/server/page/csp.js b/packages/kit/src/runtime/server/page/csp.js
index 1a7aa2edae17..6bd55f9c0c38 100644
--- a/packages/kit/src/runtime/server/page/csp.js
+++ b/packages/kit/src/runtime/server/page/csp.js
@@ -128,19 +128,21 @@ class BaseProvider {
 	/** @param {string} content */
 	add_script(content) {
 		if (this.#script_needs_csp) {
+			const d = this.#directives;
+
 			if (this.#use_hashes) {
-				const hash = sha256(content)
+				const hash = sha256(content);
 
 				this.#script_src.push(`sha256-${hash}`);
 
-				if (this.#script_src_elem.length === 0) {
+				if (d['script-src-elem']?.length) {
 					this.#script_src_elem.push(`sha256-${hash}`);
 				}
 			} else {
 				if (this.#script_src.length === 0) {
 					this.#script_src.push(`nonce-${this.#nonce}`);
 				}
-				if (this.#script_src_elem.length === 0) {
+				if (d['script-src-elem']?.length) {
 					this.#script_src_elem.push(`nonce-${this.#nonce}`);
 				}
 			}
@@ -150,25 +152,27 @@ class BaseProvider {
 	/** @param {string} content */
 	add_style(content) {
 		if (this.#style_needs_csp) {
+			const d = this.#directives;
+
 			if (this.#use_hashes) {
 				const hash = sha256(content);
 
 				this.#style_src.push(`sha256-${hash}`);
 
-				if (this.#style_src_attr.length === 0) {
+				if (d['style-src-attr']?.length) {
 					this.#style_src_attr.push(`sha256-${hash}`);
 				}
-				if (this.#style_src_elem.length === 0) {
+				if (d['style-src-elem']?.length) {
 					this.#style_src_elem.push(`sha256-${hash}`);
 				}
 			} else {
 				if (this.#style_src.length === 0) {
 					this.#style_src.push(`nonce-${this.#nonce}`);
 				}
-				if (this.#style_src_attr.length === 0) {
+				if (d['style-src-attr']?.length) {
 					this.#style_src_attr.push(`nonce-${this.#nonce}`);
 				}
-				if (this.#style_src_elem.length === 0) {
+				if (d['style-src-elem']?.length) {
 					this.#style_src_elem.push(`nonce-${this.#nonce}`);
 				}
 			}
diff --git a/packages/kit/src/runtime/server/page/csp.spec.js b/packages/kit/src/runtime/server/page/csp.spec.js
index 21d4bc8ac80d..24a7afe74adb 100644
--- a/packages/kit/src/runtime/server/page/csp.spec.js
+++ b/packages/kit/src/runtime/server/page/csp.spec.js
@@ -153,6 +153,68 @@ test('skips frame-ancestors, report-uri, sandbox from meta tags', () => {
 	);
 });
 
+test('adds nonce to script-src-elem, style-src-attr and style-src-elem if necessary', () => {
+	const csp = new Csp(
+		{
+			mode: 'auto',
+			directives: {
+				'script-src-elem': ['self'],
+				'style-src-attr': ['self'],
+				'style-src-elem': ['self']
+			},
+			reportOnly: {}
+		},
+		{
+			prerender: false
+		}
+	);
+
+	csp.add_script('');
+	csp.add_style('');
+
+	const csp_header = csp.csp_provider.get_header();
+	assert.ok(csp_header.includes("script-src-elem 'self' 'nonce-"));
+	assert.ok(csp_header.includes("style-src-attr 'self' 'nonce-"));
+	assert.ok(csp_header.includes("style-src-elem 'self' 'nonce-"));
+});
+
+test('adds hash to script-src-elem, style-src-attr and style-src-elem if necessary during prerendering', () => {
+	const csp = new Csp(
+		{
+			mode: 'auto',
+			directives: {
+				'script-src-elem': ['self'],
+				'style-src-attr': ['self'],
+				'style-src-elem': ['self']
+			},
+			reportOnly: {}
+		},
+		{
+			prerender: true
+		}
+	);
+
+	csp.add_script('');
+	csp.add_style('');
+
+	const csp_header = csp.csp_provider.get_header();
+	assert.ok(
+		csp_header.includes(
+			"script-src-elem 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='"
+		)
+	);
+	assert.ok(
+		csp_header.includes(
+			"style-src-attr 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='"
+		)
+	);
+	assert.ok(
+		csp_header.includes(
+			"style-src-elem 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='"
+		)
+	);
+});
+
 test('adds unsafe-inline styles in dev', () => {
 	// @ts-expect-error
 	globalThis.__SVELTEKIT_DEV__ = true;
@@ -161,10 +223,14 @@ test('adds unsafe-inline styles in dev', () => {
 		{
 			mode: 'hash',
 			directives: {
-				'default-src': ['self']
+				'default-src': ['self'],
+				'style-src-attr': ['self'],
+				'style-src-elem': ['self']
 			},
 			reportOnly: {
 				'default-src': ['self'],
+				'style-src-attr': ['self'],
+				'style-src-elem': ['self'],
 				'report-uri': ['/']
 			}
 		},
@@ -177,12 +243,12 @@ test('adds unsafe-inline styles in dev', () => {
 
 	assert.equal(
 		csp.csp_provider.get_header(),
-		"default-src 'self'; style-src 'self' 'unsafe-inline'"
+		"default-src 'self'; style-src-attr 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
 	);
 
 	assert.equal(
 		csp.report_only_provider.get_header(),
-		"default-src 'self'; report-uri /; style-src 'self' 'unsafe-inline'"
+		"default-src 'self'; style-src-attr 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; report-uri /; style-src 'self' 'unsafe-inline'"
 	);
 });
 
@@ -235,12 +301,12 @@ test('uses hashes when prerendering', () => {
 
 	assert.equal(
 		csp.csp_provider.get_header(),
-		"script-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='; script-src-elem 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='"
+		"script-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='"
 	);
 
 	assert.equal(
 		csp.report_only_provider.get_header(),
-		"script-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='; report-uri /; script-src-elem 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='"
+		"script-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='; report-uri /"
 	);
 });
 

From 1d961f13462d3b33676038b3f80878dc544d2881 Mon Sep 17 00:00:00 2001
From: Rich Harris <hello@rich-harris.dev>
Date: Mon, 8 Jan 2024 12:00:27 -0500
Subject: [PATCH 10/20] Update .changeset/giant-years-drum.md

---
 .changeset/giant-years-drum.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.changeset/giant-years-drum.md b/.changeset/giant-years-drum.md
index cd688d3c8aa2..8631d138229e 100644
--- a/.changeset/giant-years-drum.md
+++ b/.changeset/giant-years-drum.md
@@ -2,4 +2,4 @@
 "@sveltejs/kit": patch
 ---
 
-nonce or hash is automatically added to "script-src-elem", "style-src-attr" and "style-src-elem" if defined in csp directives config
+fix: add nonce or hash to "script-src-elem", "style-src-attr" and "style-src-elem" if defined in CSP config

From 5365a9442893be2812fd485c91235ae89f79c956 Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Thu, 11 Jan 2024 23:31:06 +0100
Subject: [PATCH 11/20] fix csp nonce in script-src-elem, style-src-attr and
 style-src-elem when using unsafe-inline

---
 packages/kit/src/runtime/server/page/csp.js   | 140 +++++++++++-------
 .../kit/src/runtime/server/page/csp.spec.js   |  40 ++---
 2 files changed, 99 insertions(+), 81 deletions(-)

diff --git a/packages/kit/src/runtime/server/page/csp.js b/packages/kit/src/runtime/server/page/csp.js
index 547c43cd8835..4826d5a4716e 100644
--- a/packages/kit/src/runtime/server/page/csp.js
+++ b/packages/kit/src/runtime/server/page/csp.js
@@ -31,9 +31,24 @@ class BaseProvider {
 	/** @type {boolean} */
 	#script_needs_csp;
 
+	/** @type {boolean} */
+	#script_src_needs_csp;
+
+	/** @type {boolean} */
+	#script_src_elem_needs_csp;
+
 	/** @type {boolean} */
 	#style_needs_csp;
 
+	/** @type {boolean} */
+	#style_src_needs_csp;
+
+	/** @type {boolean} */
+	#style_src_attr_needs_csp;
+
+	/** @type {boolean} */
+	#style_src_elem_needs_csp;
+
 	/** @type {import('types').CspDirectives} */
 	#directives;
 
@@ -121,92 +136,105 @@ class BaseProvider {
 			}
 		}
 
-		this.#script_needs_csp =
-			(!!effective_script_src &&
-				effective_script_src.filter((value) => value !== 'unsafe-inline').length > 0) ||
-			(!!script_src_elem &&
-				script_src_elem.filter((value) => value !== 'unsafe-inline').length > 0);
+		/** @param {(import('types').Csp.Source | import('types').Csp.ActionSource)[] | undefined} directive */
+		const needs_csp = (directive) =>
+			!!directive && !directive.some((value) => value === 'unsafe-inline');
+
+		this.#script_src_needs_csp = needs_csp(effective_script_src);
+		this.#script_src_elem_needs_csp = needs_csp(script_src_elem);
+		this.#style_src_needs_csp = needs_csp(effective_style_src);
+		this.#style_src_attr_needs_csp = needs_csp(style_src_attr);
+		this.#style_src_elem_needs_csp = needs_csp(style_src_elem);
 
+		this.#script_needs_csp = this.#script_src_needs_csp || this.#script_src_elem_needs_csp;
 		this.#style_needs_csp =
 			!__SVELTEKIT_DEV__ &&
-			((!!effective_style_src &&
-				effective_style_src.filter((value) => value !== 'unsafe-inline').length > 0) ||
-				(!!style_src_attr &&
-					style_src_attr.filter((value) => value !== 'unsafe-inline').length > 0) ||
-				(!!style_src_elem &&
-					style_src_elem.filter((value) => value !== 'unsafe-inline').length > 0));
+			(this.#style_src_needs_csp ||
+				this.#style_src_attr_needs_csp ||
+				this.#style_src_elem_needs_csp);
 
 		this.script_needs_nonce = this.#script_needs_csp && !this.#use_hashes;
 		this.style_needs_nonce = this.#style_needs_csp && !this.#use_hashes;
+
 		this.#nonce = nonce;
 	}
 
 	/** @param {string} content */
 	add_script(content) {
-		if (this.#script_needs_csp) {
-			const d = this.#directives;
+		if (!this.#script_needs_csp) return;
 
-			if (this.#use_hashes) {
-				const hash = sha256(content);
+		if (this.#use_hashes) {
+			const hash = sha256(content);
 
+			if (this.#script_src_needs_csp) {
 				this.#script_src.push(`sha256-${hash}`);
+			}
 
-				if (d['script-src-elem']?.length) {
-					this.#script_src_elem.push(`sha256-${hash}`);
-				}
-			} else {
-				if (this.#script_src.length === 0) {
-					this.#script_src.push(`nonce-${this.#nonce}`);
-				}
-				if (d['script-src-elem']?.length) {
-					this.#script_src_elem.push(`nonce-${this.#nonce}`);
-				}
+			if (this.#script_src_elem_needs_csp) {
+				this.#script_src_elem.push(`sha256-${hash}`);
+			}
+		} else if (this.script_needs_nonce) {
+			if (this.#script_src_needs_csp) {
+				this.#script_src.push(`nonce-${this.#nonce}`);
+			}
+
+			if (this.#script_src_elem_needs_csp) {
+				this.#script_src_elem.push(`nonce-${this.#nonce}`);
 			}
 		}
 	}
 
 	/** @param {string} content */
 	add_style(content) {
-		if (this.#style_needs_csp) {
-			// this is the hash for "/* empty */"
-			// adding it so that svelte does not break csp
-			// see https://github.com/sveltejs/svelte/pull/7800
-			const empty_comment_hash = '9OlNO0DNEeaVzHL4RZwCLsBHA8WBQ8toBp/4F5XV2nc=';
+		if (!this.#style_needs_csp) return;
 
-			const d = this.#directives;
+		// this is the hash for "/* empty */"
+		// adding it so that svelte does not break csp
+		// see https://github.com/sveltejs/svelte/pull/7800
+		const empty_comment_hash = '9OlNO0DNEeaVzHL4RZwCLsBHA8WBQ8toBp/4F5XV2nc=';
+		const d = this.#directives;
 
-			if (this.#use_hashes) {
-				const hash = sha256(content);
+		if (this.#use_hashes) {
+			const hash = sha256(content);
 
+			if (this.#style_src_needs_csp) {
 				this.#style_src.push(`sha256-${hash}`);
+			}
 
-				if (d['style-src-attr']?.length) {
-					this.#style_src_attr.push(`sha256-${hash}`);
-				}
-				if (d['style-src-elem']?.length) {
-					if (
-						hash !== empty_comment_hash &&
-						!d['style-src-elem'].includes(`sha256-${empty_comment_hash}`)
-					) {
-						this.#style_src_elem.push(`sha256-${empty_comment_hash}`);
-					}
+			if (this.#style_src_attr_needs_csp) {
+				this.#style_src_attr.push(`sha256-${hash}`);
+			}
 
-					this.#style_src_elem.push(`sha256-${hash}`);
-				}
-			} else {
-				if (this.#style_src.length === 0 && !d['style-src']?.includes('unsafe-inline')) {
-					this.#style_src.push(`nonce-${this.#nonce}`);
+			if (this.#style_src_elem_needs_csp) {
+				if (
+					d['style-src-elem'] &&
+					!d['style-src-elem'].includes(`sha256-${empty_comment_hash}`) &&
+					!this.#style_src_elem.includes(`sha256-${empty_comment_hash}`)
+				) {
+					this.#style_src_elem.push(`sha256-${empty_comment_hash}`);
 				}
-				if (d['style-src-attr']?.length) {
-					this.#style_src_attr.push(`nonce-${this.#nonce}`);
-				}
-				if (d['style-src-elem']?.length) {
-					if (!d['style-src-elem'].includes(`sha256-${empty_comment_hash}`)) {
-						this.#style_src_elem.push(`sha256-${empty_comment_hash}`);
-					}
 
-					this.#style_src_elem.push(`nonce-${this.#nonce}`);
+				this.#style_src_elem.push(`sha256-${hash}`);
+			}
+		} else if (this.style_needs_nonce) {
+			if (this.#style_src_needs_csp) {
+				this.#style_src.push(`nonce-${this.#nonce}`);
+			}
+
+			if (this.#style_src_attr_needs_csp) {
+				this.#style_src_attr.push(`nonce-${this.#nonce}`);
+			}
+
+			if (this.#style_src_elem_needs_csp) {
+				if (
+					d['style-src-elem'] &&
+					!d['style-src-elem'].includes(`sha256-${empty_comment_hash}`) &&
+					!this.#style_src_elem.includes(`sha256-${empty_comment_hash}`)
+				) {
+					this.#style_src_elem.push(`sha256-${empty_comment_hash}`);
 				}
+
+				this.#style_src_elem.push(`nonce-${this.#nonce}`);
 			}
 		}
 	}
diff --git a/packages/kit/src/runtime/server/page/csp.spec.js b/packages/kit/src/runtime/server/page/csp.spec.js
index 670d27305065..af66f8e1110c 100644
--- a/packages/kit/src/runtime/server/page/csp.spec.js
+++ b/packages/kit/src/runtime/server/page/csp.spec.js
@@ -84,10 +84,20 @@ test('skips nonce with unsafe-inline', () => {
 		{
 			mode: 'nonce',
 			directives: {
-				'default-src': ['unsafe-inline']
+				'default-src': ['unsafe-inline'],
+				'script-src': ['unsafe-inline'],
+				'script-src-elem': ['unsafe-inline'],
+				'style-src': ['unsafe-inline'],
+				'style-src-attr': ['unsafe-inline'],
+				'style-src-elem': ['unsafe-inline']
 			},
 			reportOnly: {
 				'default-src': ['unsafe-inline'],
+				'script-src': ['unsafe-inline'],
+				'script-src-elem': ['unsafe-inline'],
+				'style-src': ['unsafe-inline'],
+				'style-src-attr': ['unsafe-inline'],
+				'style-src-elem': ['unsafe-inline'],
 				'report-uri': ['/']
 			}
 		},
@@ -98,33 +108,13 @@ test('skips nonce with unsafe-inline', () => {
 
 	csp.add_script('');
 
-	assert.equal(csp.csp_provider.get_header(), "default-src 'unsafe-inline'");
-	assert.equal(csp.report_only_provider.get_header(), "default-src 'unsafe-inline'; report-uri /");
-});
-
-test('skips nonce in style-src when using unsafe-inline', () => {
-	const csp = new Csp(
-		{
-			mode: 'nonce',
-			directives: {
-				'style-src': ['self', 'unsafe-inline']
-			},
-			reportOnly: {
-				'style-src': ['self', 'unsafe-inline'],
-				'report-uri': ['/']
-			}
-		},
-		{
-			prerender: false
-		}
+	assert.equal(
+		csp.csp_provider.get_header(),
+		"default-src 'unsafe-inline'; script-src 'unsafe-inline'; script-src-elem 'unsafe-inline'; style-src 'unsafe-inline'; style-src-attr 'unsafe-inline'; style-src-elem 'unsafe-inline'"
 	);
-
-	csp.add_style('');
-
-	assert.equal(csp.csp_provider.get_header(), "style-src 'self' 'unsafe-inline'");
 	assert.equal(
 		csp.report_only_provider.get_header(),
-		"style-src 'self' 'unsafe-inline'; report-uri /"
+		"default-src 'unsafe-inline'; script-src 'unsafe-inline'; script-src-elem 'unsafe-inline'; style-src 'unsafe-inline'; style-src-attr 'unsafe-inline'; style-src-elem 'unsafe-inline'; report-uri /"
 	);
 });
 

From 195d2719ab7143b77d8694fcfdec5809d8b57231 Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Thu, 11 Jan 2024 23:34:33 +0100
Subject: [PATCH 12/20] fix test desc

---
 packages/kit/src/runtime/server/page/csp.spec.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/kit/src/runtime/server/page/csp.spec.js b/packages/kit/src/runtime/server/page/csp.spec.js
index af66f8e1110c..bd1cb8a4ecac 100644
--- a/packages/kit/src/runtime/server/page/csp.spec.js
+++ b/packages/kit/src/runtime/server/page/csp.spec.js
@@ -169,7 +169,7 @@ test('skips frame-ancestors, report-uri, sandbox from meta tags', () => {
 	);
 });
 
-test('adds nonce to script-src-elem, style-src-attr and style-src-elem if necessary', () => {
+test('adds nonce style-src-attr and style-src-elem and nonce + sha to script-src-elem if necessary', () => {
 	const csp = new Csp(
 		{
 			mode: 'auto',

From 74e8a936689aebe6892e37593eb762feb7e83f9e Mon Sep 17 00:00:00 2001
From: Mathias Picker <48158184+MathiasWP@users.noreply.github.com>
Date: Thu, 11 Jan 2024 23:35:36 +0100
Subject: [PATCH 13/20] Update giant-years-drum.md

---
 .changeset/giant-years-drum.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.changeset/giant-years-drum.md b/.changeset/giant-years-drum.md
index 8631d138229e..e1129e0d0486 100644
--- a/.changeset/giant-years-drum.md
+++ b/.changeset/giant-years-drum.md
@@ -2,4 +2,4 @@
 "@sveltejs/kit": patch
 ---
 
-fix: add nonce or hash to "script-src-elem", "style-src-attr" and "style-src-elem" if defined in CSP config
+fix: only add nonce to `script-src-elem`, `style-src-attr` and `style-src-elem` CSP directives when `unsafe-inline` is not present

From d46d29e0a23201440f2ecb6eda29284b5667d5a4 Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Thu, 11 Jan 2024 23:48:02 +0100
Subject: [PATCH 14/20] refactor

---
 packages/kit/src/runtime/server/page/csp.js | 89 +++++++--------------
 1 file changed, 31 insertions(+), 58 deletions(-)

diff --git a/packages/kit/src/runtime/server/page/csp.js b/packages/kit/src/runtime/server/page/csp.js
index 4826d5a4716e..80ebc46da414 100644
--- a/packages/kit/src/runtime/server/page/csp.js
+++ b/packages/kit/src/runtime/server/page/csp.js
@@ -163,24 +163,15 @@ class BaseProvider {
 	add_script(content) {
 		if (!this.#script_needs_csp) return;
 
-		if (this.#use_hashes) {
-			const hash = sha256(content);
+		/** @type {`nonce-${string}` | `sha256-${string}`} */
+		const value = this.#use_hashes ? `sha256-${sha256(content)}` : `nonce-${this.#nonce}`;
 
-			if (this.#script_src_needs_csp) {
-				this.#script_src.push(`sha256-${hash}`);
-			}
-
-			if (this.#script_src_elem_needs_csp) {
-				this.#script_src_elem.push(`sha256-${hash}`);
-			}
-		} else if (this.script_needs_nonce) {
-			if (this.#script_src_needs_csp) {
-				this.#script_src.push(`nonce-${this.#nonce}`);
-			}
+		if (this.#script_src_needs_csp) {
+			this.#script_src.push(value);
+		}
 
-			if (this.#script_src_elem_needs_csp) {
-				this.#script_src_elem.push(`nonce-${this.#nonce}`);
-			}
+		if (this.#script_src_elem_needs_csp) {
+			this.#script_src_elem.push(value);
 		}
 	}
 
@@ -188,54 +179,36 @@ class BaseProvider {
 	add_style(content) {
 		if (!this.#style_needs_csp) return;
 
-		// this is the hash for "/* empty */"
-		// adding it so that svelte does not break csp
-		// see https://github.com/sveltejs/svelte/pull/7800
-		const empty_comment_hash = '9OlNO0DNEeaVzHL4RZwCLsBHA8WBQ8toBp/4F5XV2nc=';
-		const d = this.#directives;
-
-		if (this.#use_hashes) {
-			const hash = sha256(content);
-
-			if (this.#style_src_needs_csp) {
-				this.#style_src.push(`sha256-${hash}`);
-			}
+		/** @type {`nonce-${string}` | `sha256-${string}`} */
+		const value = this.#use_hashes ? `sha256-${sha256(content)}` : `nonce-${this.#nonce}`;
 
-			if (this.#style_src_attr_needs_csp) {
-				this.#style_src_attr.push(`sha256-${hash}`);
-			}
+		if (this.#style_src_needs_csp) {
+			this.#style_src.push(value);
+		}
 
-			if (this.#style_src_elem_needs_csp) {
-				if (
-					d['style-src-elem'] &&
-					!d['style-src-elem'].includes(`sha256-${empty_comment_hash}`) &&
-					!this.#style_src_elem.includes(`sha256-${empty_comment_hash}`)
-				) {
-					this.#style_src_elem.push(`sha256-${empty_comment_hash}`);
-				}
+		if (this.#style_src_needs_csp) {
+			this.#style_src.push(value);
+		}
 
-				this.#style_src_elem.push(`sha256-${hash}`);
-			}
-		} else if (this.style_needs_nonce) {
-			if (this.#style_src_needs_csp) {
-				this.#style_src.push(`nonce-${this.#nonce}`);
-			}
+		if (this.#style_src_attr_needs_csp) {
+			this.#style_src_attr.push(value);
+		}
 
-			if (this.#style_src_attr_needs_csp) {
-				this.#style_src_attr.push(`nonce-${this.#nonce}`);
+		if (this.#style_src_elem_needs_csp) {
+			// this is the sha256 hash for the string "/* empty */"
+			// adding it so that svelte does not break csp
+			// see https://github.com/sveltejs/svelte/pull/7800
+			const sha256_empty_comment_hash = 'sha256-9OlNO0DNEeaVzHL4RZwCLsBHA8WBQ8toBp/4F5XV2nc=';
+			const d = this.#directives;
+			if (
+				d['style-src-elem'] &&
+				!d['style-src-elem'].includes(sha256_empty_comment_hash) &&
+				!this.#style_src_elem.includes(sha256_empty_comment_hash)
+			) {
+				this.#style_src_elem.push(sha256_empty_comment_hash);
 			}
 
-			if (this.#style_src_elem_needs_csp) {
-				if (
-					d['style-src-elem'] &&
-					!d['style-src-elem'].includes(`sha256-${empty_comment_hash}`) &&
-					!this.#style_src_elem.includes(`sha256-${empty_comment_hash}`)
-				) {
-					this.#style_src_elem.push(`sha256-${empty_comment_hash}`);
-				}
-
-				this.#style_src_elem.push(`nonce-${this.#nonce}`);
-			}
+			this.#style_src_elem.push(value);
 		}
 	}
 

From b55ee1c9c08c31954f274d27b975f3b48ec74d32 Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Thu, 11 Jan 2024 23:49:34 +0100
Subject: [PATCH 15/20] rename variable

---
 packages/kit/src/runtime/server/page/csp.js | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/packages/kit/src/runtime/server/page/csp.js b/packages/kit/src/runtime/server/page/csp.js
index 80ebc46da414..98a7dd47d9d6 100644
--- a/packages/kit/src/runtime/server/page/csp.js
+++ b/packages/kit/src/runtime/server/page/csp.js
@@ -164,14 +164,14 @@ class BaseProvider {
 		if (!this.#script_needs_csp) return;
 
 		/** @type {`nonce-${string}` | `sha256-${string}`} */
-		const value = this.#use_hashes ? `sha256-${sha256(content)}` : `nonce-${this.#nonce}`;
+		const source = this.#use_hashes ? `sha256-${sha256(content)}` : `nonce-${this.#nonce}`;
 
 		if (this.#script_src_needs_csp) {
-			this.#script_src.push(value);
+			this.#script_src.push(source);
 		}
 
 		if (this.#script_src_elem_needs_csp) {
-			this.#script_src_elem.push(value);
+			this.#script_src_elem.push(source);
 		}
 	}
 
@@ -180,18 +180,18 @@ class BaseProvider {
 		if (!this.#style_needs_csp) return;
 
 		/** @type {`nonce-${string}` | `sha256-${string}`} */
-		const value = this.#use_hashes ? `sha256-${sha256(content)}` : `nonce-${this.#nonce}`;
+		const source = this.#use_hashes ? `sha256-${sha256(content)}` : `nonce-${this.#nonce}`;
 
 		if (this.#style_src_needs_csp) {
-			this.#style_src.push(value);
+			this.#style_src.push(source);
 		}
 
 		if (this.#style_src_needs_csp) {
-			this.#style_src.push(value);
+			this.#style_src.push(source);
 		}
 
 		if (this.#style_src_attr_needs_csp) {
-			this.#style_src_attr.push(value);
+			this.#style_src_attr.push(source);
 		}
 
 		if (this.#style_src_elem_needs_csp) {
@@ -208,7 +208,7 @@ class BaseProvider {
 				this.#style_src_elem.push(sha256_empty_comment_hash);
 			}
 
-			this.#style_src_elem.push(value);
+			this.#style_src_elem.push(source);
 		}
 	}
 

From eba0e81a0ee56e4c27c130fc32ce6a67db23cc56 Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Thu, 11 Jan 2024 23:58:02 +0100
Subject: [PATCH 16/20] avoid duplicate empty comment hash

---
 packages/kit/src/runtime/server/page/csp.js   |  5 +++-
 .../kit/src/runtime/server/page/csp.spec.js   | 25 +++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/packages/kit/src/runtime/server/page/csp.js b/packages/kit/src/runtime/server/page/csp.js
index 98a7dd47d9d6..336d50261ad3 100644
--- a/packages/kit/src/runtime/server/page/csp.js
+++ b/packages/kit/src/runtime/server/page/csp.js
@@ -200,6 +200,7 @@ class BaseProvider {
 			// see https://github.com/sveltejs/svelte/pull/7800
 			const sha256_empty_comment_hash = 'sha256-9OlNO0DNEeaVzHL4RZwCLsBHA8WBQ8toBp/4F5XV2nc=';
 			const d = this.#directives;
+
 			if (
 				d['style-src-elem'] &&
 				!d['style-src-elem'].includes(sha256_empty_comment_hash) &&
@@ -208,7 +209,9 @@ class BaseProvider {
 				this.#style_src_elem.push(sha256_empty_comment_hash);
 			}
 
-			this.#style_src_elem.push(source);
+			if (source !== sha256_empty_comment_hash) {
+				this.#style_src_elem.push(source);
+			}
 		}
 	}
 
diff --git a/packages/kit/src/runtime/server/page/csp.spec.js b/packages/kit/src/runtime/server/page/csp.spec.js
index bd1cb8a4ecac..09d2d69e4e02 100644
--- a/packages/kit/src/runtime/server/page/csp.spec.js
+++ b/packages/kit/src/runtime/server/page/csp.spec.js
@@ -107,6 +107,7 @@ test('skips nonce with unsafe-inline', () => {
 	);
 
 	csp.add_script('');
+	csp.add_style('');
 
 	assert.equal(
 		csp.csp_provider.get_header(),
@@ -141,6 +142,30 @@ test('skips hash with unsafe-inline', () => {
 	assert.equal(csp.report_only_provider.get_header(), "default-src 'unsafe-inline'; report-uri /");
 });
 
+test('does not add empty comment hash to style-src-elem if already defined', () => {
+	const csp = new Csp(
+		{
+			mode: 'hash',
+			directives: {
+				'style-src-elem': ['self', 'sha256-9OlNO0DNEeaVzHL4RZwCLsBHA8WBQ8toBp/4F5XV2nc=']
+			},
+			reportOnly: {
+				'report-uri': ['/']
+			}
+		},
+		{
+			prerender: false
+		}
+	);
+
+	csp.add_style('/* empty */');
+
+	assert.equal(
+		csp.csp_provider.get_header(),
+		"style-src-elem 'self' 'sha256-9OlNO0DNEeaVzHL4RZwCLsBHA8WBQ8toBp/4F5XV2nc='"
+	);
+});
+
 test('skips frame-ancestors, report-uri, sandbox from meta tags', () => {
 	const csp = new Csp(
 		{

From b5d3e10695ad8be960d4b401df24399551f95f33 Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Tue, 12 Nov 2024 21:51:14 +0100
Subject: [PATCH 17/20] add back removed test

---
 .../kit/src/runtime/server/page/csp.spec.js   | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/packages/kit/src/runtime/server/page/csp.spec.js b/packages/kit/src/runtime/server/page/csp.spec.js
index 09d2d69e4e02..0236192f4971 100644
--- a/packages/kit/src/runtime/server/page/csp.spec.js
+++ b/packages/kit/src/runtime/server/page/csp.spec.js
@@ -79,6 +79,32 @@ test('generates CSP header with nonce', () => {
 	);
 });
 
+test('skips nonce in style-src when using unsafe-inline', () => {
+	const csp = new Csp(
+		{
+			mode: 'nonce',
+			directives: {
+				'style-src': ['self', 'unsafe-inline']
+			},
+			reportOnly: {
+				'style-src': ['self', 'unsafe-inline'],
+				'report-uri': ['/']
+			}
+		},
+		{
+			prerender: false
+		}
+	);
+
+	csp.add_style('');
+
+	assert.equal(csp.csp_provider.get_header(), "style-src 'self' 'unsafe-inline'");
+	assert.equal(
+		csp.report_only_provider.get_header(),
+		"style-src 'self' 'unsafe-inline'; report-uri /"
+	);
+});
+
 test('skips nonce with unsafe-inline', () => {
 	const csp = new Csp(
 		{

From c78fe333979928b17362e26261b1ac3d6632b433 Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Tue, 12 Nov 2024 21:58:57 +0100
Subject: [PATCH 18/20] added back another test

---
 .../kit/src/runtime/server/page/csp.spec.js   | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/packages/kit/src/runtime/server/page/csp.spec.js b/packages/kit/src/runtime/server/page/csp.spec.js
index 0236192f4971..328161340410 100644
--- a/packages/kit/src/runtime/server/page/csp.spec.js
+++ b/packages/kit/src/runtime/server/page/csp.spec.js
@@ -79,6 +79,29 @@ test('generates CSP header with nonce', () => {
 	);
 });
 
+test('skips nonce with unsafe-inline', () => {
+	const csp = new Csp(
+		{
+			mode: 'nonce',
+			directives: {
+				'default-src': ['unsafe-inline']
+			},
+			reportOnly: {
+				'default-src': ['unsafe-inline'],
+				'report-uri': ['/']
+			}
+		},
+		{
+			prerender: false
+		}
+	);
+
+	csp.add_script('');
+
+	assert.equal(csp.csp_provider.get_header(), "default-src 'unsafe-inline'");
+	assert.equal(csp.report_only_provider.get_header(), "default-src 'unsafe-inline'; report-uri /");
+});
+
 test('skips nonce in style-src when using unsafe-inline', () => {
 	const csp = new Csp(
 		{

From 06ca1de91d43123f96824255ff297e3b9b8fc24f Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Tue, 12 Nov 2024 22:00:56 +0100
Subject: [PATCH 19/20] add back skips nonce in style-src when using
 unsafe-inline test

---
 packages/kit/src/runtime/server/page/csp.spec.js | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/packages/kit/src/runtime/server/page/csp.spec.js b/packages/kit/src/runtime/server/page/csp.spec.js
index 328161340410..d0f2546f2901 100644
--- a/packages/kit/src/runtime/server/page/csp.spec.js
+++ b/packages/kit/src/runtime/server/page/csp.spec.js
@@ -79,15 +79,15 @@ test('generates CSP header with nonce', () => {
 	);
 });
 
-test('skips nonce with unsafe-inline', () => {
+test('skips nonce in style-src when using unsafe-inline', () => {
 	const csp = new Csp(
 		{
 			mode: 'nonce',
 			directives: {
-				'default-src': ['unsafe-inline']
+				'style-src': ['self', 'unsafe-inline']
 			},
 			reportOnly: {
-				'default-src': ['unsafe-inline'],
+				'style-src': ['self', 'unsafe-inline'],
 				'report-uri': ['/']
 			}
 		},
@@ -96,10 +96,13 @@ test('skips nonce with unsafe-inline', () => {
 		}
 	);
 
-	csp.add_script('');
+	csp.add_style('');
 
-	assert.equal(csp.csp_provider.get_header(), "default-src 'unsafe-inline'");
-	assert.equal(csp.report_only_provider.get_header(), "default-src 'unsafe-inline'; report-uri /");
+	assert.equal(csp.csp_provider.get_header(), "style-src 'self' 'unsafe-inline'");
+	assert.equal(
+		csp.report_only_provider.get_header(),
+		"style-src 'self' 'unsafe-inline'; report-uri /"
+	);
 });
 
 test('skips nonce in style-src when using unsafe-inline', () => {

From 8be42e1ff58ae63636ddcc7b2729de171a6e4809 Mon Sep 17 00:00:00 2001
From: Mathias Picker <mattis123@live.no>
Date: Tue, 12 Nov 2024 22:04:13 +0100
Subject: [PATCH 20/20] put tests in same order

---
 .../kit/src/runtime/server/page/csp.spec.js   | 64 ++++++-------------
 1 file changed, 19 insertions(+), 45 deletions(-)

diff --git a/packages/kit/src/runtime/server/page/csp.spec.js b/packages/kit/src/runtime/server/page/csp.spec.js
index d0f2546f2901..6dc1a9435856 100644
--- a/packages/kit/src/runtime/server/page/csp.spec.js
+++ b/packages/kit/src/runtime/server/page/csp.spec.js
@@ -79,15 +79,25 @@ test('generates CSP header with nonce', () => {
 	);
 });
 
-test('skips nonce in style-src when using unsafe-inline', () => {
+test('skips nonce with unsafe-inline', () => {
 	const csp = new Csp(
 		{
 			mode: 'nonce',
 			directives: {
-				'style-src': ['self', 'unsafe-inline']
+				'default-src': ['unsafe-inline'],
+				'script-src': ['unsafe-inline'],
+				'script-src-elem': ['unsafe-inline'],
+				'style-src': ['unsafe-inline'],
+				'style-src-attr': ['unsafe-inline'],
+				'style-src-elem': ['unsafe-inline']
 			},
 			reportOnly: {
-				'style-src': ['self', 'unsafe-inline'],
+				'default-src': ['unsafe-inline'],
+				'script-src': ['unsafe-inline'],
+				'script-src-elem': ['unsafe-inline'],
+				'style-src': ['unsafe-inline'],
+				'style-src-attr': ['unsafe-inline'],
+				'style-src-elem': ['unsafe-inline'],
 				'report-uri': ['/']
 			}
 		},
@@ -96,12 +106,16 @@ test('skips nonce in style-src when using unsafe-inline', () => {
 		}
 	);
 
+	csp.add_script('');
 	csp.add_style('');
 
-	assert.equal(csp.csp_provider.get_header(), "style-src 'self' 'unsafe-inline'");
+	assert.equal(
+		csp.csp_provider.get_header(),
+		"default-src 'unsafe-inline'; script-src 'unsafe-inline'; script-src-elem 'unsafe-inline'; style-src 'unsafe-inline'; style-src-attr 'unsafe-inline'; style-src-elem 'unsafe-inline'"
+	);
 	assert.equal(
 		csp.report_only_provider.get_header(),
-		"style-src 'self' 'unsafe-inline'; report-uri /"
+		"default-src 'unsafe-inline'; script-src 'unsafe-inline'; script-src-elem 'unsafe-inline'; style-src 'unsafe-inline'; style-src-attr 'unsafe-inline'; style-src-elem 'unsafe-inline'; report-uri /"
 	);
 });
 
@@ -131,46 +145,6 @@ test('skips nonce in style-src when using unsafe-inline', () => {
 	);
 });
 
-test('skips nonce with unsafe-inline', () => {
-	const csp = new Csp(
-		{
-			mode: 'nonce',
-			directives: {
-				'default-src': ['unsafe-inline'],
-				'script-src': ['unsafe-inline'],
-				'script-src-elem': ['unsafe-inline'],
-				'style-src': ['unsafe-inline'],
-				'style-src-attr': ['unsafe-inline'],
-				'style-src-elem': ['unsafe-inline']
-			},
-			reportOnly: {
-				'default-src': ['unsafe-inline'],
-				'script-src': ['unsafe-inline'],
-				'script-src-elem': ['unsafe-inline'],
-				'style-src': ['unsafe-inline'],
-				'style-src-attr': ['unsafe-inline'],
-				'style-src-elem': ['unsafe-inline'],
-				'report-uri': ['/']
-			}
-		},
-		{
-			prerender: false
-		}
-	);
-
-	csp.add_script('');
-	csp.add_style('');
-
-	assert.equal(
-		csp.csp_provider.get_header(),
-		"default-src 'unsafe-inline'; script-src 'unsafe-inline'; script-src-elem 'unsafe-inline'; style-src 'unsafe-inline'; style-src-attr 'unsafe-inline'; style-src-elem 'unsafe-inline'"
-	);
-	assert.equal(
-		csp.report_only_provider.get_header(),
-		"default-src 'unsafe-inline'; script-src 'unsafe-inline'; script-src-elem 'unsafe-inline'; style-src 'unsafe-inline'; style-src-attr 'unsafe-inline'; style-src-elem 'unsafe-inline'; report-uri /"
-	);
-});
-
 test('skips hash with unsafe-inline', () => {
 	const csp = new Csp(
 		{