Missing script property nonce

[w1ckedmellow]

Hi Didomi team 👋
We're currently integrating the Didomi React SDK into a project that enforces a strict Content Security Policy (CSP), which requires all inline scripts to include a nonce attribute. However, we noticed that the SDK does not provide a way to set a nonce on the injected <script> tags, which causes CSP violations and blocks the Didomi scripts from executing.
Expected behavior:
There should be a way to pass a nonce value (e.g., via a prop or config option) so that the SDK can include it in the <script> tags it injects.
Actual behavior:
No nonce attribute is added to the injected scripts, and CSP blocks them.
Suggested solution:
Add support for a nonce prop in the React component or configuration object, which would be applied to all dynamically injected <script> elements.
Environment:

Package: @didomi/react
Framework: React
CSP: strict mode with script-src 'nonce-xyz'

[felipe-saez]

Hi,

Thanks for bringing this up and for the detailed context. We’re currently looking into the issue and evaluating how to best support CSP nonces in our SDK.

We’ll keep you posted as soon as we have any updates on this.

Kind regards,

Felipe

[honzalo]

We’ve added support for a custom nonce. You can now dynamically add the following code before the SDK is initialized:

const didomiConfig = {
  app: {
    nonce: nonceValue,
  },
};

<DidomiSDK
  config={didomiConfig}
[...]

The SDK will then automatically add the nonce attribute to the injected styles/script.

Let me know if you have any questions!