[Start] router.options.ssr.nonce does not apply to all inline scripts #5511
Description
Which project does this relate to?
Start
Describe the bug
When setting ssr.nonce on the router config, not all incline scripts get the nonce added.
There is an inline script added to the head which does not have a nonce and gets flagged by CSP.
I'm very new to Start and SSR in general, so it's very possible I'm doing something wrong 😬.
I've created a minimal repro here. That been created with pnpm create @tanstack/start@latest with:
- selecting options for tailwind and nitro,
- adding the
ssr.nonceconfig, and - updating the serve command to use the nitro server.
Note
This example purposely avoids adding a CSP header or a secure nonce to avoid cluttering the example. If needed, I can add those to the repro.
Your Example Website or App
https://stackblitz.com/github/corwinsheahan-wf/tanstack-nonce-repro
Steps to Reproduce the Bug or Issue
- Open stackblitz url
- Run
pnpm build && pnpm serve - Click "Open preview in new tab"
- Inspect the HTML in the browser's dev tools and verify that there is an inline script appended to the
headelement which does not have anonce, while other inline scripts do have a nonce.
Expected behavior
All inline scripts should have a nonce applied.
Screenshots or Videos
Platform
- Router Version: 1.133.3
- Start Version: 1.133.6
- OS: Mac OS
- Browser: Chrome
- Browser Version: 141.0.7390.65
- Bundler: vite
- Bundler Version: 7.1.0
Here's the full result of a pnpm list:
Additional context
No response