vike 0.4.237-commit-33e34e7 → 0.4.238-commit-5762291

package/dist/cjs/node/runtime/csp.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolvePageContextCspNone = resolvePageContextCspNone;
+exports.inferNonceAttr = inferNonceAttr;
+exports.addCspHeader = addCspHeader;
+const import_1 = require("@brillout/import");
+async function resolvePageContextCspNone(pageContext) {
+    if (pageContext.cspNonce)
+        return; // already set by user e.g. `renderPage({ cspNonce: '123456789' })`
+    const { csp } = pageContext.config;
+    if (!csp?.nonce)
+        return;
+    let cspNonce;
+    if (csp.nonce === true) {
+        cspNonce = await generateNonce();
+    }
+    else {
+        cspNonce = await csp.nonce(pageContext);
+    }
+    const pageContextAddendum = { cspNonce };
+    return pageContextAddendum;
+}
+// Generate a cryptographically secure nonce for Content Security Policy (CSP).
+// Returns a base64url-encoded nonce string (URL-safe, no padding).
+// https://github.com/vikejs/vike/issues/1554#issuecomment-3181128304
+async function generateNonce() {
+    let cryptoModule;
+    try {
+        cryptoModule = (await (0, import_1.import_)('crypto')).default;
+    }
+    catch {
+        return Math.random().toString(36).substring(2, 18);
+    }
+    return cryptoModule.randomBytes(16).toString('base64url');
+}
+function inferNonceAttr(pageContext) {
+    const nonceAttr = pageContext.cspNonce ? ` nonce="${pageContext.cspNonce}"` : '';
+    return nonceAttr;
+}
+function addCspHeader(pageContext, headersResponse) {
+    if (!pageContext.cspNonce)
+        return;
+    if (headersResponse.get('Content-Security-Policy'))
+        return;
+    headersResponse.set('Content-Security-Policy', `script-src 'self' 'nonce-${pageContext.cspNonce}'`);
+}

package/dist/cjs/node/runtime/html/injectAssets/getHtmlTags.js

@@ -15,6 +15,7 @@ const picocolors_1 = __importDefault(require("@brillout/picocolors"));
 const getConfigDefinedAt_js_1 = require("../../../../shared/page-configs/getConfigDefinedAt.js");
 const htmlElementIds_js_1 = require("../../../../shared/htmlElementIds.js");
 const isFontFallback_js_1 = require("../../renderPage/isFontFallback.js");
+const csp_js_1 = require("../../csp.js");
 const stamp = '__injectFilterEntry';
 async function getHtmlTags(pageContext, streamFromReactStreamingPackage, injectFilter, pageAssets, viteDevScript, isStream) {
     (0, utils_js_1.assert)([true, false].includes(pageContext._isHtmlOnly));
@@ -81,7 +82,7 @@ async function getHtmlTags(pageContext, streamFromReactStreamingPackage, injectF
         .forEach((asset) => {
         if (!asset.inject)
             return;
-        const htmlTag = asset.isEntry ? (0, inferHtmlTags_js_1.inferAssetTag)(asset) : (0, inferHtmlTags_js_1.inferPreloadTag)(asset);
+        const htmlTag = asset.isEntry ? (0, inferHtmlTags_js_1.inferAssetTag)(asset, pageContext) : (0, inferHtmlTags_js_1.inferPreloadTag)(asset);
         htmlTags.push({ htmlTag, position: asset.inject });
     });
     // ==========
@@ -142,7 +143,7 @@ async function getHtmlTags(pageContext, streamFromReactStreamingPackage, injectF
         });
     }
     // The JavaScript entry <script> tag
-    const scriptEntry = mergeScriptEntries(pageAssets, viteDevScript);
+    const scriptEntry = mergeScriptEntries(pageAssets, viteDevScript, pageContext);
     if (scriptEntry) {
         htmlTags.push({
             htmlTag: scriptEntry,
@@ -163,9 +164,9 @@ async function getHtmlTags(pageContext, streamFromReactStreamingPackage, injectF
     });
     return htmlTags;
 }
-function mergeScriptEntries(pageAssets, viteDevScript) {
+function mergeScriptEntries(pageAssets, viteDevScript, pageContext) {
     const scriptEntries = pageAssets.filter((pageAsset) => pageAsset.isEntry && pageAsset.assetType === 'script');
-    let scriptEntry = `${viteDevScript}${scriptEntries.map((asset) => (0, inferHtmlTags_js_1.inferAssetTag)(asset)).join('')}`;
+    let scriptEntry = `${viteDevScript}${scriptEntries.map((asset) => (0, inferHtmlTags_js_1.inferAssetTag)(asset, pageContext)).join('')}`;
     // We merge scripts to avoid the infamous HMR preamble error.
     // - Infamous HMR preamble error:
     //   ```browser-console
@@ -183,12 +184,13 @@ function mergeScriptEntries(pageAssets, viteDevScript) {
     //   ```
     // - Maybe an alternative would be to make Vike's client runtime entry <script> tag non-async. Would that work? Would it be a performance issue?
     //   - The entry <script> shouldn't be `<script defer>` upon HTML streaming, otherwise progressive hydration while SSR streaming won't work.
-    scriptEntry = (0, mergeScriptTags_js_1.mergeScriptTags)(scriptEntry);
+    scriptEntry = (0, mergeScriptTags_js_1.mergeScriptTags)(scriptEntry, pageContext);
     return scriptEntry;
 }
 function getPageContextJsonScriptTag(pageContext) {
     const pageContextClientSerialized = (0, sanitizeJson_js_1.sanitizeJson)((0, serializeContext_js_1.getPageContextClientSerialized)(pageContext, true));
-    const htmlTag = `<script id="${htmlElementIds_js_1.htmlElementId_pageContext}" type="application/json">${pageContextClientSerialized}</script>`;
+    const nonceAttr = (0, csp_js_1.inferNonceAttr)(pageContext);
+    const htmlTag = `<script id="${htmlElementIds_js_1.htmlElementId_pageContext}" type="application/json"${nonceAttr}>${pageContextClientSerialized}</script>`;
     // Used by contra.com https://github.com/gajus
     // @ts-expect-error
     pageContext._pageContextHtmlTag = htmlTag;
@@ -196,7 +198,8 @@ function getPageContextJsonScriptTag(pageContext) {
 }
 function getGlobalContextJsonScriptTag(pageContext) {
     const globalContextClientSerialized = (0, sanitizeJson_js_1.sanitizeJson)((0, serializeContext_js_1.getGlobalContextClientSerialized)(pageContext, true));
-    const htmlTag = `<script id="${htmlElementIds_js_1.htmlElementId_globalContext}" type="application/json">${globalContextClientSerialized}</script>`;
+    const nonceAttr = (0, csp_js_1.inferNonceAttr)(pageContext);
+    const htmlTag = `<script id="${htmlElementIds_js_1.htmlElementId_globalContext}" type="application/json"${nonceAttr}>${globalContextClientSerialized}</script>`;
     return htmlTag;
 }
 function assertInjectFilterEntries(injectFilterEntries) {

package/dist/cjs/node/runtime/html/injectAssets/inferHtmlTags.js

@@ -5,6 +5,8 @@ exports.inferAssetTag = inferAssetTag;
 exports.inferPreloadTag = inferPreloadTag;
 exports.inferEarlyHintLink = inferEarlyHintLink;
 const utils_js_1 = require("../../utils.js");
+const csp_js_1 = require("../../csp.js");
+// TODO/now rename scriptAttrs scriptCommonAttrs
 // We can't use `defer` here. With `defer`, the entry script won't start before `</body>` has been parsed, preventing progressive hydration during SSR streaming, see https://github.com/vikejs/vike/pull/1271
 const scriptAttrs = 'type="module" async';
 exports.scriptAttrs = scriptAttrs;
@@ -23,11 +25,12 @@ function inferPreloadTag(pageAsset) {
         .join(' ');
     return `<link ${attributes}>`;
 }
-function inferAssetTag(pageAsset) {
+function inferAssetTag(pageAsset, pageContext) {
     const { src, assetType, mediaType } = pageAsset;
     if (assetType === 'script') {
         (0, utils_js_1.assert)(mediaType === 'text/javascript');
-        return `<script src="${src}" ${scriptAttrs}></script>`;
+        const nonceAttr = (0, csp_js_1.inferNonceAttr)(pageContext);
+        return `<script src="${src}" ${scriptAttrs}${nonceAttr}></script>`;
     }
     if (assetType === 'style') {
         // WARNING: if changing following line, then also update https://github.com/vikejs/vike/blob/fae90a15d88e5e87ca9fcbb54cf2dc8773d2f229/vike/client/shared/removeFoucBuster.ts#L29

package/dist/cjs/node/runtime/html/injectAssets/mergeScriptTags.js

@@ -1,12 +1,13 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.mergeScriptTags = mergeScriptTags;
+const csp_js_1 = require("../../csp.js");
 const utils_js_1 = require("../../utils.js");
 const inferHtmlTags_js_1 = require("./inferHtmlTags.js");
 const scriptRE = /(<script\b(?:\s[^>]*>|>))(.*?)<\/script>/gims;
 const srcRE = /\bsrc\s*=\s*(?:"([^"]+)"|'([^']+)'|([^\s'">]+))/im;
 const typeRE = /\btype\s*=\s*(?:"([^"]+)"|'([^']+)'|([^\s'">]+))/im;
-function mergeScriptTags(scriptTagsHtml) {
+function mergeScriptTags(scriptTagsHtml, pageContext) {
     let scriptTag = '';
     const scripts = parseScripts(scriptTagsHtml);
     // We need to merge module scripts to ensure execution order
@@ -35,7 +36,8 @@ function mergeScriptTags(scriptTagsHtml) {
                 }
             });
             if (contents.length > 0) {
-                scriptTag += `<script ${inferHtmlTags_js_1.scriptAttrs}>\n${contents.join('\n')}\n</script>`;
+                const nonceAttr = (0, csp_js_1.inferNonceAttr)(pageContext);
+                scriptTag += `<script ${inferHtmlTags_js_1.scriptAttrs}${nonceAttr}>\n${contents.join('\n')}\n</script>`;
             }
         }
     }

package/dist/cjs/node/runtime/renderPage/loadPageConfigsLazyServerSide.js

@@ -11,6 +11,7 @@ const analyzePage_js_1 = require("./analyzePage.js");
 const loadAndParseVirtualFilePageEntry_js_1 = require("../../../shared/page-configs/loadAndParseVirtualFilePageEntry.js");
 const execHookServer_js_1 = require("./execHookServer.js");
 const getCacheControl_js_1 = require("./getCacheControl.js");
+const csp_js_1 = require("../csp.js");
 async function loadPageConfigsLazyServerSide(pageContext) {
     (0, utils_js_1.objectAssign)(pageContext, {
         _pageConfig: (0, findPageConfig_js_1.findPageConfig)(pageContext._globalContext._pageConfigs, pageContext.pageId),
@@ -55,6 +56,7 @@ async function resolvePageContext(pageContext) {
             passToClient.push(...valS);
         });
     }
+    (0, utils_js_1.objectAssign)(pageContext, await (0, csp_js_1.resolvePageContextCspNone)(pageContext));
     (0, utils_js_1.objectAssign)(pageContext, {
         Page: pageContext.exports.Page,
         _isHtmlOnly: isHtmlOnly,
@@ -125,6 +127,7 @@ async function loadPageUserFiles_v1Design(pageContext) {
         pageFilesLoaded: pageFilesServerSide,
     };
 }
+// TODO/now: move all response headers code to headersResponse.ts
 function resolveHeadersResponse(pageContext) {
     const headersResponse = mergeHeaders(pageContext.config.headersResponse);
     if (!headersResponse.get('Cache-Control')) {
@@ -132,6 +135,7 @@ function resolveHeadersResponse(pageContext) {
         if (cacheControl)
             headersResponse.set('Cache-Control', cacheControl);
     }
+    (0, csp_js_1.addCspHeader)(pageContext, headersResponse);
     return headersResponse;
 }
 function mergeHeaders(headersList = []) {

package/dist/cjs/node/vite/shared/resolveVikeConfigInternal/configDefinitionsBuiltIn.js

@@ -173,6 +173,9 @@ const configDefinitionsBuiltIn = {
         env: { config: true },
         global: true,
     },
+    csp: {
+        env: { server: true },
+    },
     injectScriptsAt: {
         env: { server: true },
     },

package/dist/cjs/shared/page-configs/resolveVikeConfigPublic.js

@@ -1,9 +1,10 @@
 "use strict";
-// TO-DO/soon: rename PageConfig names
+// TODO/now: rename PageConfig names
 // - Use `Internal` suffix, i.e. {Page,Global}ConfigInternal
 //   - While keeping {Page,Global}ConfigPublic or remove Public suffix and rename it to {Page,Global}Config ?
 // - rename EagerLoaded EagerlyLoaded
 // - remove `LazyLoaded` suffix
+// TODO/now: rename VikeConfigPublicPageLazyLoaded PageContextSomething (for `pageContext: PageContextSomething` usage)
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };

package/dist/cjs/utils/PROJECT_VERSION.js

@@ -2,4 +2,4 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.PROJECT_VERSION = void 0;
 // Automatically updated by @brillout/release-me
-exports.PROJECT_VERSION = '0.4.237-commit-33e34e7';
+exports.PROJECT_VERSION = '0.4.238-commit-5762291';

package/dist/esm/node/prerender/runPrerender.d.ts

@@ -174,6 +174,8 @@ declare function createPageContextPrerendering(urlOriginal: string, prerenderCon
     _pageConfig: null | import("../../types/PageConfig.js").PageConfigRuntime;
 } & import("../../shared/getPageFiles.js").VikeConfigPublicPageLazyLoaded & {
     _pageConfig: null | import("../../types/PageConfig.js").PageConfigRuntime;
+} & {
+    cspNonce: string;
 } & {
     Page: unknown;
     _isHtmlOnly: boolean;

package/dist/esm/node/runtime/csp.d.ts

@@ -0,0 +1,12 @@
+export { resolvePageContextCspNone };
+export { inferNonceAttr };
+export { addCspHeader };
+export type { PageContextCspNonce };
+import type { VikeConfigPublicPageLazyLoaded } from '../../shared/getPageFiles.js';
+import type { PageContextServer } from '../../types/PageContext.js';
+declare function resolvePageContextCspNone(pageContext: VikeConfigPublicPageLazyLoaded & PageContextCspNonce): Promise<{
+    cspNonce: string;
+} | undefined>;
+type PageContextCspNonce = Pick<PageContextServer, 'cspNonce'>;
+declare function inferNonceAttr(pageContext: PageContextCspNonce): string;
+declare function addCspHeader(pageContext: PageContextCspNonce, headersResponse: Headers): void;

package/dist/esm/node/runtime/csp.js

@@ -0,0 +1,44 @@
+export { resolvePageContextCspNone };
+export { inferNonceAttr };
+export { addCspHeader };
+import { import_ } from '@brillout/import';
+async function resolvePageContextCspNone(pageContext) {
+    if (pageContext.cspNonce)
+        return; // already set by user e.g. `renderPage({ cspNonce: '123456789' })`
+    const { csp } = pageContext.config;
+    if (!csp?.nonce)
+        return;
+    let cspNonce;
+    if (csp.nonce === true) {
+        cspNonce = await generateNonce();
+    }
+    else {
+        cspNonce = await csp.nonce(pageContext);
+    }
+    const pageContextAddendum = { cspNonce };
+    return pageContextAddendum;
+}
+// Generate a cryptographically secure nonce for Content Security Policy (CSP).
+// Returns a base64url-encoded nonce string (URL-safe, no padding).
+// https://github.com/vikejs/vike/issues/1554#issuecomment-3181128304
+async function generateNonce() {
+    let cryptoModule;
+    try {
+        cryptoModule = (await import_('crypto')).default;
+    }
+    catch {
+        return Math.random().toString(36).substring(2, 18);
+    }
+    return cryptoModule.randomBytes(16).toString('base64url');
+}
+function inferNonceAttr(pageContext) {
+    const nonceAttr = pageContext.cspNonce ? ` nonce="${pageContext.cspNonce}"` : '';
+    return nonceAttr;
+}
+function addCspHeader(pageContext, headersResponse) {
+    if (!pageContext.cspNonce)
+        return;
+    if (headersResponse.get('Content-Security-Policy'))
+        return;
+    headersResponse.set('Content-Security-Policy', `script-src 'self' 'nonce-${pageContext.cspNonce}'`);
+}

package/dist/esm/node/runtime/html/injectAssets/getHtmlTags.js

@@ -10,6 +10,7 @@ import pc from '@brillout/picocolors';
 import { getConfigDefinedAt } from '../../../../shared/page-configs/getConfigDefinedAt.js';
 import { htmlElementId_globalContext, htmlElementId_pageContext } from '../../../../shared/htmlElementIds.js';
 import { isFontFallback } from '../../renderPage/isFontFallback.js';
+import { inferNonceAttr } from '../../csp.js';
 const stamp = '__injectFilterEntry';
 async function getHtmlTags(pageContext, streamFromReactStreamingPackage, injectFilter, pageAssets, viteDevScript, isStream) {
     assert([true, false].includes(pageContext._isHtmlOnly));
@@ -76,7 +77,7 @@ async function getHtmlTags(pageContext, streamFromReactStreamingPackage, injectF
         .forEach((asset) => {
         if (!asset.inject)
             return;
-        const htmlTag = asset.isEntry ? inferAssetTag(asset) : inferPreloadTag(asset);
+        const htmlTag = asset.isEntry ? inferAssetTag(asset, pageContext) : inferPreloadTag(asset);
         htmlTags.push({ htmlTag, position: asset.inject });
     });
     // ==========
@@ -137,7 +138,7 @@ async function getHtmlTags(pageContext, streamFromReactStreamingPackage, injectF
         });
     }
     // The JavaScript entry <script> tag
-    const scriptEntry = mergeScriptEntries(pageAssets, viteDevScript);
+    const scriptEntry = mergeScriptEntries(pageAssets, viteDevScript, pageContext);
     if (scriptEntry) {
         htmlTags.push({
             htmlTag: scriptEntry,
@@ -158,9 +159,9 @@ async function getHtmlTags(pageContext, streamFromReactStreamingPackage, injectF
     });
     return htmlTags;
 }
-function mergeScriptEntries(pageAssets, viteDevScript) {
+function mergeScriptEntries(pageAssets, viteDevScript, pageContext) {
     const scriptEntries = pageAssets.filter((pageAsset) => pageAsset.isEntry && pageAsset.assetType === 'script');
-    let scriptEntry = `${viteDevScript}${scriptEntries.map((asset) => inferAssetTag(asset)).join('')}`;
+    let scriptEntry = `${viteDevScript}${scriptEntries.map((asset) => inferAssetTag(asset, pageContext)).join('')}`;
     // We merge scripts to avoid the infamous HMR preamble error.
     // - Infamous HMR preamble error:
     //   ```browser-console
@@ -178,12 +179,13 @@ function mergeScriptEntries(pageAssets, viteDevScript) {
     //   ```
     // - Maybe an alternative would be to make Vike's client runtime entry <script> tag non-async. Would that work? Would it be a performance issue?
     //   - The entry <script> shouldn't be `<script defer>` upon HTML streaming, otherwise progressive hydration while SSR streaming won't work.
-    scriptEntry = mergeScriptTags(scriptEntry);
+    scriptEntry = mergeScriptTags(scriptEntry, pageContext);
     return scriptEntry;
 }
 function getPageContextJsonScriptTag(pageContext) {
     const pageContextClientSerialized = sanitizeJson(getPageContextClientSerialized(pageContext, true));
-    const htmlTag = `<script id="${htmlElementId_pageContext}" type="application/json">${pageContextClientSerialized}</script>`;
+    const nonceAttr = inferNonceAttr(pageContext);
+    const htmlTag = `<script id="${htmlElementId_pageContext}" type="application/json"${nonceAttr}>${pageContextClientSerialized}</script>`;
     // Used by contra.com https://github.com/gajus
     // @ts-expect-error
     pageContext._pageContextHtmlTag = htmlTag;
@@ -191,7 +193,8 @@ function getPageContextJsonScriptTag(pageContext) {
 }
 function getGlobalContextJsonScriptTag(pageContext) {
     const globalContextClientSerialized = sanitizeJson(getGlobalContextClientSerialized(pageContext, true));
-    const htmlTag = `<script id="${htmlElementId_globalContext}" type="application/json">${globalContextClientSerialized}</script>`;
+    const nonceAttr = inferNonceAttr(pageContext);
+    const htmlTag = `<script id="${htmlElementId_globalContext}" type="application/json"${nonceAttr}>${globalContextClientSerialized}</script>`;
     return htmlTag;
 }
 function assertInjectFilterEntries(injectFilterEntries) {

package/dist/esm/node/runtime/html/injectAssets/inferHtmlTags.d.ts

@@ -3,7 +3,8 @@ export { inferPreloadTag };
 export { inferEarlyHintLink };
 export { scriptAttrs };
 import type { PageAsset } from '../../renderPage/getPageAssets.js';
+import { type PageContextCspNonce } from '../../csp.js';
 declare const scriptAttrs = "type=\"module\" async";
 declare function inferPreloadTag(pageAsset: PageAsset): string;
-declare function inferAssetTag(pageAsset: PageAsset): string;
+declare function inferAssetTag(pageAsset: PageAsset, pageContext: PageContextCspNonce): string;
 declare function inferEarlyHintLink(pageAsset: PageAsset): string;

package/dist/esm/node/runtime/html/injectAssets/inferHtmlTags.js

@@ -3,6 +3,8 @@ export { inferPreloadTag };
 export { inferEarlyHintLink };
 export { scriptAttrs };
 import { assert } from '../../utils.js';
+import { inferNonceAttr } from '../../csp.js';
+// TODO/now rename scriptAttrs scriptCommonAttrs
 // We can't use `defer` here. With `defer`, the entry script won't start before `</body>` has been parsed, preventing progressive hydration during SSR streaming, see https://github.com/vikejs/vike/pull/1271
 const scriptAttrs = 'type="module" async';
 function inferPreloadTag(pageAsset) {
@@ -20,11 +22,12 @@ function inferPreloadTag(pageAsset) {
         .join(' ');
     return `<link ${attributes}>`;
 }
-function inferAssetTag(pageAsset) {
+function inferAssetTag(pageAsset, pageContext) {
     const { src, assetType, mediaType } = pageAsset;
     if (assetType === 'script') {
         assert(mediaType === 'text/javascript');
-        return `<script src="${src}" ${scriptAttrs}></script>`;
+        const nonceAttr = inferNonceAttr(pageContext);
+        return `<script src="${src}" ${scriptAttrs}${nonceAttr}></script>`;
     }
     if (assetType === 'style') {
         // WARNING: if changing following line, then also update https://github.com/vikejs/vike/blob/fae90a15d88e5e87ca9fcbb54cf2dc8773d2f229/vike/client/shared/removeFoucBuster.ts#L29

package/dist/esm/node/runtime/html/injectAssets/mergeScriptTags.d.ts

@@ -1,2 +1,3 @@
 export { mergeScriptTags };
-declare function mergeScriptTags(scriptTagsHtml: string): string;
+import { type PageContextCspNonce } from '../../csp.js';
+declare function mergeScriptTags(scriptTagsHtml: string, pageContext: PageContextCspNonce): string;

package/dist/esm/node/runtime/html/injectAssets/mergeScriptTags.js

@@ -1,10 +1,11 @@
 export { mergeScriptTags };
+import { inferNonceAttr } from '../../csp.js';
 import { assert } from '../../utils.js';
 import { scriptAttrs } from './inferHtmlTags.js';
 const scriptRE = /(<script\b(?:\s[^>]*>|>))(.*?)<\/script>/gims;
 const srcRE = /\bsrc\s*=\s*(?:"([^"]+)"|'([^']+)'|([^\s'">]+))/im;
 const typeRE = /\btype\s*=\s*(?:"([^"]+)"|'([^']+)'|([^\s'">]+))/im;
-function mergeScriptTags(scriptTagsHtml) {
+function mergeScriptTags(scriptTagsHtml, pageContext) {
     let scriptTag = '';
     const scripts = parseScripts(scriptTagsHtml);
     // We need to merge module scripts to ensure execution order
@@ -33,7 +34,8 @@ function mergeScriptTags(scriptTagsHtml) {
                 }
             });
             if (contents.length > 0) {
-                scriptTag += `<script ${scriptAttrs}>\n${contents.join('\n')}\n</script>`;
+                const nonceAttr = inferNonceAttr(pageContext);
+                scriptTag += `<script ${scriptAttrs}${nonceAttr}>\n${contents.join('\n')}\n</script>`;
             }
         }
     }

package/dist/esm/node/runtime/html/serializeContext.d.ts

@@ -8,6 +8,7 @@ import type { UrlRedirect } from '../../../shared/route/abort.js';
 import type { GlobalContextServerInternal } from '../globalContext.js';
 import type { PageContextCreated } from '../renderPage/createPageContextServerSide.js';
 import type { PageContextBegin } from '../renderPage.js';
+import type { PageContextCspNonce } from '../csp.js';
 type PageContextSerialization = PageContextCreated & {
     pageId: string;
     routeParams: Record<string, string>;
@@ -17,7 +18,7 @@ type PageContextSerialization = PageContextCreated & {
     _pageContextInit: Record<string, unknown>;
     _globalContext: GlobalContextServerInternal;
     _isPageContextJsonRequest: null | PageContextBegin['_isPageContextJsonRequest'];
-};
+} & PageContextCspNonce;
 declare function getPageContextClientSerialized(pageContext: PageContextSerialization, isHtmlJsonScript: boolean): string;
 declare function getGlobalContextClientSerialized(pageContext: PageContextSerialization, isHtmlJsonScript: boolean): string;
 type PassToClient = string[];

package/dist/esm/node/runtime/renderPage/loadPageConfigsLazyServerSide.d.ts

@@ -111,6 +111,8 @@ declare function loadPageConfigsLazyServerSide(pageContext: PageContext_loadPage
     _pageConfig: null | PageConfigRuntime;
 } & VikeConfigPublicPageLazyLoaded & {
     _pageConfig: null | PageConfigRuntime;
+} & {
+    cspNonce: string;
 } & {
     Page: unknown;
     _isHtmlOnly: boolean;

package/dist/esm/node/runtime/renderPage/loadPageConfigsLazyServerSide.js

@@ -9,6 +9,7 @@ import { analyzePage } from './analyzePage.js';
 import { loadAndParseVirtualFilePageEntry } from '../../../shared/page-configs/loadAndParseVirtualFilePageEntry.js';
 import { execHookServer } from './execHookServer.js';
 import { getCacheControl } from './getCacheControl.js';
+import { addCspHeader, resolvePageContextCspNone } from '../csp.js';
 async function loadPageConfigsLazyServerSide(pageContext) {
     objectAssign(pageContext, {
         _pageConfig: findPageConfig(pageContext._globalContext._pageConfigs, pageContext.pageId),
@@ -53,6 +54,7 @@ async function resolvePageContext(pageContext) {
             passToClient.push(...valS);
         });
     }
+    objectAssign(pageContext, await resolvePageContextCspNone(pageContext));
     objectAssign(pageContext, {
         Page: pageContext.exports.Page,
         _isHtmlOnly: isHtmlOnly,
@@ -123,6 +125,7 @@ async function loadPageUserFiles_v1Design(pageContext) {
         pageFilesLoaded: pageFilesServerSide,
     };
 }
+// TODO/now: move all response headers code to headersResponse.ts
 function resolveHeadersResponse(pageContext) {
     const headersResponse = mergeHeaders(pageContext.config.headersResponse);
     if (!headersResponse.get('Cache-Control')) {
@@ -130,6 +133,7 @@ function resolveHeadersResponse(pageContext) {
         if (cacheControl)
             headersResponse.set('Cache-Control', cacheControl);
     }
+    addCspHeader(pageContext, headersResponse);
     return headersResponse;
 }
 function mergeHeaders(headersList = []) {

package/dist/esm/node/runtime/renderPage/renderPageAfterRoute.d.ts

@@ -127,6 +127,8 @@ declare function prerenderPage(pageContext: PageContextCreated & PageConfigsLazy
         _pageConfig: null | import("../../../types/PageConfig.js").PageConfigRuntime;
     } & import("../../../shared/getPageFiles.js").VikeConfigPublicPageLazyLoaded & {
         _pageConfig: null | import("../../../types/PageConfig.js").PageConfigRuntime;
+    } & {
+        cspNonce: string;
     } & {
         Page: unknown;
         _isHtmlOnly: boolean;
@@ -246,6 +248,8 @@ declare function prerenderPage(pageContext: PageContextCreated & PageConfigsLazy
         _pageConfig: null | import("../../../types/PageConfig.js").PageConfigRuntime;
     } & import("../../../shared/getPageFiles.js").VikeConfigPublicPageLazyLoaded & {
         _pageConfig: null | import("../../../types/PageConfig.js").PageConfigRuntime;
+    } & {
+        cspNonce: string;
     } & {
         Page: unknown;
         _isHtmlOnly: boolean;

package/dist/esm/node/vite/shared/resolveVikeConfigInternal/configDefinitionsBuiltIn.js

@@ -171,6 +171,9 @@ const configDefinitionsBuiltIn = {
         env: { config: true },
         global: true,
     },
+    csp: {
+        env: { server: true },
+    },
     injectScriptsAt: {
         env: { server: true },
     },

package/dist/esm/shared/page-configs/resolveVikeConfigPublic.js

@@ -1,8 +1,9 @@
-// TO-DO/soon: rename PageConfig names
+// TODO/now: rename PageConfig names
 // - Use `Internal` suffix, i.e. {Page,Global}ConfigInternal
 //   - While keeping {Page,Global}ConfigPublic or remove Public suffix and rename it to {Page,Global}Config ?
 // - rename EagerLoaded EagerlyLoaded
 // - remove `LazyLoaded` suffix
+// TODO/now: rename VikeConfigPublicPageLazyLoaded PageContextSomething (for `pageContext: PageContextSomething` usage)
 // TO-DO/soon/same-api: use public API internally?
 // TO-DO/soon/flat-pageContext: rename definedAt => definedBy
 export { resolveVikeConfigPublicGlobal };

package/dist/esm/types/Config.d.ts

@@ -468,6 +468,14 @@ type ConfigBuiltIn = {
      * https://vike.dev/mode
      */
     mode?: string;
+    /**
+     * Content Security Policy (CSP).
+     *
+     * https://vike.dev/csp
+     */
+    csp?: {
+        nonce: boolean | ((pageContext: PageContextServer) => string | Promise<string>);
+    };
     /** Where scripts are injected in the HTML.
      *
      * https://vike.dev/injectScriptsAt

package/dist/esm/types/PageContext.d.ts

@@ -183,6 +183,12 @@ type PageContextBuiltInServer<Data> = PageContextBuiltInCommon<Data> & PageConte
      * https://vike.dev/pageContext#globalContext
      */
     globalContext: GlobalContextServer;
+    /**
+     * The CSP nonce.
+     *
+     * https://vike.dev/csp
+     */
+    cspNonce?: string;
     isHydration?: undefined;
     isBackwardNavigation?: undefined;
     previousPageContext?: undefined;

package/dist/esm/utils/PROJECT_VERSION.d.ts

@@ -1 +1 @@
-export declare const PROJECT_VERSION: "0.4.237-commit-33e34e7";
+export declare const PROJECT_VERSION: "0.4.238-commit-5762291";

package/dist/esm/utils/PROJECT_VERSION.js

@@ -1,2 +1,2 @@
 // Automatically updated by @brillout/release-me
-export const PROJECT_VERSION = '0.4.237-commit-33e34e7';
+export const PROJECT_VERSION = '0.4.238-commit-5762291';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vike",
-  "version": "0.4.237-commit-33e34e7",
+  "version": "0.4.238-commit-5762291",
   "repository": "https://github.com/vikejs/vike",
   "exports": {
     "./server": {