added CSP

app.config.ts

@@ -3,6 +3,9 @@ import { VitePWA } from 'vite-plugin-pwa'
 
 export default defineConfig({
     vite: {
+        html: {
+            cspNonce: 'KAAS_IS_AWESOME',
+        },
         plugins: [
             VitePWA({
                 mode: 'development',

src/entry-server.tsx

@@ -4,20 +4,39 @@ import { installIntoGlobal } from "iterator-helpers-polyfill";
 
 installIntoGlobal();
 
-export default createHandler(() => (
+export default createHandler(({ nonce }) => {
-  <StartServer
+  return (
-    document={({ assets, children, scripts }) => (
+    <StartServer
-      <html lang="en">
+      document={({ assets, children, scripts }) => {
-        <head>
+        return (
-          <meta charset="utf-8" />
+          <html lang="en">
-          <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
+            <head>
-          {assets}
+              <meta charset="utf-8" />
-        </head>
+              <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
-        <body>
+              <meta property="csp-nonce" nonce={nonce} />
-          {children}
+              {assets}
-          {scripts}
+            </head>
-        </body>
+            <body>
-      </html>
+              {children}
-    )}
+              {scripts}
-  />
+            </body>
-));
+          </html>
+        );
+      }} />
+  );
+}, event => {
+  const nonce = crypto.randomUUID();
+  const base = `'self' 'nonce-${nonce}'`;
+
+  const policies = {
+    default: base,
+    connect: `${base} ws://localhost:*`,
+    style: `'self' data: https://fonts.googleapis.com 'unsafe-inline'`,
+    // style: `${base} data: https://fonts.googleapis.com`,
+    font: `${base} https://*.gstatic.com`,
+  } as const;
+
+  event.response.headers.append('Content-Security-Policy', Object.entries(policies).map(([p, v]) => `${p}-src ${v}`).join('; '))
+
+  return { nonce };
+});