add csp nonce when needed

Author: lovasoa

.github/workflows/ci.yml

@@ -47,8 +47,10 @@ jobs:
       - name: Build
         run: |
           npx parcel build --public-url /dist/
+          ./add_csp_nonce.sh
           cp dist/spreadsheet_component.html spreadsheet.dist.handlebars
           npx parcel build --public-url https://lovasoa.github.io/sqlpage-spreadsheet/${{ steps.get_version.outputs.VERSION }}/dist/
+          ./add_csp_nonce.sh
           cp dist/spreadsheet_component.html spreadsheet.handlebars
 
       - name: Create Release ZIP

add_csp_nonce.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+sed \
+    --in-place \
+    --regexp-extended \
+    --expression='s/<script (nonce="[^"]*")?/<script nonce="{{@csp_nonce}}"/g' \
+    "dist/spreadsheet_component.html"
+
+echo "CSP nonce added to spreadsheet_component.html"

package.json

@@ -5,7 +5,8 @@
 	"source": "./src/spreadsheet_component.html",
 	"browserslist": "> 3%, last 2 versions, not dead",
 	"scripts": {
-		"build": "parcel build --no-optimize --public-url /dist/",
+		"build": "parcel build --no-optimize --public-url /dist/ && ./add_csp_nonce.sh",
+		"build-optimized": "parcel build --public-url /dist/ && ./add_csp_nonce.sh",
 		"dev": "parcel watch --public-url /dist/ & (cd demo && ./sqlpage.bin)",
 		"lint": "biome check",
 		"typecheck": "tsc --noEmit",

src/spreadsheet_component.html

@@ -54,4 +54,4 @@ <h5 class="modal-title">Cell Update</h5>
   </div>
 </div>
 
-<script type="module" nonce="{{@csp_nonce}}" src="./spreadsheet.ts"></script>
+<script nonce="{{@csp_nonce}}" type="module" src="./spreadsheet.ts"></script>