Incompatible with strict Content-Security-Policy

[jacquesg]

Currently using dynamic substitutions with the inline style tag:

    <script>
      globalThis.import_meta_env = JSON.parse('"import_meta_env_placeholder"');
    </script>

Unfortunately, this requires adding unsafe-inline as an option to the script-src value when using the Content-Security-Policy header.

Is there an alternative mechanism available, which would allow this code to reside in a "real" script?

[soc221b]

Hi, @jacquesg

Please try the other solution we made: https://github.com/runtime-env/runtime-env

Since the runtime-env's approach is to load a external script (same origin from your app) generated at runtime, it should works with script-src: self.

Thank you. 😃