Gronod 3c3382401c fix: remove nonce from <link> tags — breaks CSS on mobile/caching proxies ...

style-src 'self' already permits same-origin stylesheets without a nonce.
Injecting a nonce onto <link rel=stylesheet> causes silent CSS failure on
mobile Safari and any setup where a caching proxy serves stale HTML (the
nonce in the HTML no longer matches the per-request CSP header nonce).

Nonce injection is now limited to <script> tags only, where it is
actually required to permit the same-origin app.js.

2026-05-17 09:28:44 +01:00

11 KiB

Raw Blame History

View Raw