Problem
When a route handler returns ctx.html() or ctx.json() instead of ctx.render(), the CSP middleware silently falls back to 'unsafe-inline' without any warning.
Root Cause
In packages/fresh/src/middlewares/csp.ts, when useNonce: true is configured:
- The middleware reads the nonce from the response:
(res as any)[NONCE_SYMBOL] (line 119)
ctx.render() sets this symbol via RenderState → response (context.ts:503)- But
ctx.html(), ctx.json(), ctx.text(), ctx.redirect() never set it
- When nonce is undefined, the CSP directive silently includes
'unsafe-inline' instead of 'nonce-${nonce}' (line 131-133)
- No warning is logged anywhere
This means a developer who configures useNonce: true thinking all routes are protected, but has some routes using ctx.html(), gets zero indication that those routes degraded to a weaker CSP.
Suggested Fix
Add a console.warn in development mode when useNonce: true is configured but no nonce was found on the response:
if (nonce === undefined && force) {
console.warn(
`CSP middleware configured with useNonce but no nonce found. ` +
`Falling back to 'unsafe-inline'. Use ctx.render() or set the nonce manually.`,
);
}
Problem
When a route handler returns
ctx.html()orctx.json()instead ofctx.render(), the CSP middleware silently falls back to'unsafe-inline'without any warning.Root Cause
In
packages/fresh/src/middlewares/csp.ts, whenuseNonce: trueis configured:(res as any)[NONCE_SYMBOL](line 119)ctx.render()sets this symbol viaRenderState→ response (context.ts:503)ctx.html(),ctx.json(),ctx.text(),ctx.redirect()never set it'unsafe-inline'instead of'nonce-${nonce}'(line 131-133)This means a developer who configures
useNonce: truethinking all routes are protected, but has some routes usingctx.html(), gets zero indication that those routes degraded to a weaker CSP.Suggested Fix
Add a
console.warnin development mode whenuseNonce: trueis configured but no nonce was found on the response: