Blockage of Nuxt inline script

[OndrejSerek]

Environment

Operating system      Linux 6.16.10-061610-generic                      │
│ │  CPU                   12th Gen Intel(R) Core(TM) i7-12700H (20 cores)   │
│ │  Node.js version       v23.6.1                                           │
│ │  nuxt/cli version      3.31.1                                            │
│ │  Package manager       pnpm 10.25.0                                      │
│ │  Nuxt version          3.20.1                                            │
│ │  Nitro version         2.12.9                                            │
│ │  Builder               vite 7.2.7

Nuxt Security Version

2.4.0

Default setup used?

Yes, the bug happens even if the security option is not customized

Security options

Reproduction

The issue is well described in the links provided.
nuxt/nuxt#27004
datagouv/data.gouv.fr#1557

Description

The nuxt config script is included without nonce even when using the strict-dynamic. It happens probably only in SSR mode. It causes blockage and following error in the console:
Executing inline script violates the following Content Security Policy directive 'script-src-elem 'strict-dynamic' 'nonce-l3smXXXXXXXXXXXXXXXXX''. Either the 'unsafe-inline' keyword, a hash ('sha256-UTZUjwljYeg+MLIeh9Mmi9Yps14Tmt3oF4s4z0F31n8='), or a nonce ('nonce-...') is required to enable inline execution. The policy is report-only, so the violation has been logged but no further action has been taken

<script> window.__NUXT__ = {}; window.__NUXT__.config = { public: { ....My nuxt config is included here.

Additional context

I have found some issues describing this problem, but none of it seems to provide a clean solution. Using https://www.npmjs.com/package/nuxt-inline-scripts to disable nuxt inline scripts just does not seem right.
nuxt/nuxt#27004
datagouv/data.gouv.fr#1557

Logs

[Baroshem]

Heyo,

Check out this section in our docs that describes how to work with scripts :)

https://nuxt-security.vercel.app/advanced/strict-csp#whitelisting-external-resources

[OndrejSerek]

Okay, but this script is added by Nuxt internally. Not by us. We use the useScript directive for our scripts and it works, but we are not able to inject the nonce to the nuxt internal script.

[vejja]

Hi @OndrejSerek
I am surprised by what you are reporting. If you have strict-dynamic set and use useScript(), it should always work.
How are you loading your inline script?

[BrutCZE]

The issue is about nuxt payload extraction. Some context:

https://github.com/nuxt/nuxt/blob/main/packages/nitro-server/src/runtime/utils/renderer/payload.ts

https://github.com/nuxt/nuxt/blob/main/packages/nitro-server/src/runtime/handlers/renderer.ts#L259

Since Nuxt handles the addition of this script itself, maybe we have to wait until Nuxt has native CSP support: nuxt/nuxt#11793