CSP: Missing nonce attribute on <style> tags injected by Didomi

[plevavas]

We’re using a strict Content-Security-Policy with a style-src 'nonce-...' directive.

The <style> tags injected by Didomi (e.g., inside #didomi-host) don’t have a nonce attribute, which causes them to be blocked by the browser.

Would it be possible to add support for setting a nonce?

Thanks.

[honzalo]

Hi @plevavas,

Thanks for opening the issue, and apologies for the late reply — this one slipped through.

We’ve added support for a custom nonce. You can now dynamically add the following code before the SDK is initialized:

const didomiConfig = {
  app: {
    nonce: nonceValue,
  },
};

<DidomiSDK
  config={didomiConfig}
[...]

The SDK will then automatically add the nonce attribute to the injected styles.

Let me know if you have any questions!