How to make the WebComponents API work with a strict Content Security Policy (CSP)?

We have just started integrating our existing site with On pages that use it, we load the Builder content through the web components API. Up to now it has been working well.

However, we are now looking at implementing a more strict adoption of CSP Level 3, utilising nonces and hashes, which eliminates the possibility of running ‘unsafe-inline’ scripts and styles.

For now we aren’t using much in the way of custom scripting in Builder, so we’re not too concerned about the impact on scripts.

However, it looks like the styles for our Builder components (all built-in, nothing custom yet) are applied programmatically rather than being loaded via an external stylesheet. This is incompatible with our CSP.

Is there, or will there be, a way to tell to serve its scripts and/or styles as external URLs that we can load securely?

Alternatively, could we pass a randomly generated nonce for the request along with our web component, allowing it to prerender the styles and scripts in an HTML element with that nonce?

If not, we may need to explore alternative services instead, which I really don’t want to do because is the perfect blend of ease of use and technical capability for our environment.

Hello @geoff.talbot !

It sounds to me like you would want to use a Custom Code element to add any external CSS or your own <style> html elements

You can find the Custom Code element in the Code section of the Insert tab:
Screen Shot 2022-09-09 at 12.08.16 PM

And from here you can add style sheets as HTML like so:
Screen Shot 2022-09-09 at 12.10.48 PM

Does this achieve your intended use? Let me know if you have any further questions!