Gronod
3c3382401c
style-src 'self' already permits same-origin stylesheets without a nonce. Injecting a nonce onto <link rel=stylesheet> causes silent CSS failure on mobile Safari and any setup where a caching proxy serves stale HTML (the nonce in the HTML no longer matches the per-request CSP header nonce). Nonce injection is now limited to <script> tags only, where it is actually required to permit the same-origin app.js.