Skip to content

Fix #14270: Svelte 5 and CSP#17776

Closed
danielalanbates wants to merge 1 commit intosveltejs:mainfrom
danielalanbates:fix/issue-14270
Closed

Fix #14270: Svelte 5 and CSP#17776
danielalanbates wants to merge 1 commit intosveltejs:mainfrom
danielalanbates:fix/issue-14270

Conversation

@danielalanbates
Copy link

@danielalanbates danielalanbates commented Feb 22, 2026

Fixes #14270

Summary

This PR fixes: Svelte 5 and CSP

Changes

packages/svelte/src/internal/client/dom/css.js | 7 +++++++
 1 file changed, 7 insertions(+)

Testing

Please review the changes carefully. The fix was verified against the existing test suite.

This PR was created with the assistance of Claude Sonnet 4.6 by Anthropic | effort: low. Happy to make any adjustments!

By submitting this pull request, I confirm that my contribution is made under the terms of the project's license (contributor license agreement).

@claude
fix: propagate CSP nonce to dynamically injected style elements
53e5fa4 
When Svelte components inject `<style>` elements at runtime via
`append_styles`, these elements now inherit the CSP nonce from any
existing nonce-bearing element on the page. This allows them to pass
CSP checks when a `style-src 'nonce-...'` policy is in effect.

Browsers expose `element.nonce` to JavaScript while hiding it from CSS
selectors, so querying `[nonce]` and reading `.nonce` is safe and
works correctly.

Fixes sveltejs#14270

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
@changeset-bot
Copy link

changeset-bot bot commented Feb 22, 2026

⚠️ No Changeset found

Latest commit: 53e5fa4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@danielalanbates
Copy link
Author

danielalanbates commented Mar 19, 2026

Apologies for the noise — this PR didn't meet the quality bar for this project. Closing it out. Thank you for your patience and for maintaining this project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Svelte 5 and CSP

1 participant

@danielalanbates