We have just started integrating our existing site with Builder.io. On pages that use it, we load the Builder content through the web components API. Up to now it has been working well.
However, we are now looking at implementing a more strict adoption of CSP Level 3, utilising nonces and hashes, which eliminates the possibility of running ‘unsafe-inline’ scripts and styles.
For now we aren’t using much in the way of custom scripting in Builder, so we’re not too concerned about the impact on scripts.
However, it looks like the styles for our Builder components (all built-in, nothing custom yet) are applied programmatically rather than being loaded via an external stylesheet. This is incompatible with our CSP.
Is there, or will there be, a way to tell Builder.io to serve its scripts and/or styles as external URLs that we can load securely?
Alternatively, could we pass a randomly generated nonce for the request along with our web component, allowing it to prerender the styles and scripts in an HTML element with that nonce?
If not, we may need to explore alternative services instead, which I really don’t want to do because Builder.io is the perfect blend of ease of use and technical capability for our environment.