CSP Nonce

[g-stefan]

This modification allow usage when CSP Nonce is set (same nonce on script and style).
The Content-Security-Policy headers are as follow:

• script-src 'self' 'nonce-[foo-bar]' 'strict-dynamic';
• style-src 'self' 'nonce-[foo-bar]';

The code uses the nonce from first document loaded script (can be the OverlayScrollbars source or other), as allowed by javascript CSP specification Nonce
I now can use OverlayScrollbars with more restrictive CSP. No need for unsafe-inline.

Without patch:

With patch:

Thank you!

[KingSora]

Good day @g-stefan :)

I havent really considered CSP before..

To me this implementation looks a little bit hacky, wouldn't something like this be better?

// asssign the nonce before you interact with the library
OverlayScrollbars.nonce('noncevalue');

// after nonce is assigned you can do everything
const osInstance = OverlayScrollbars(document.body, {});

[g-stefan]

Yes, is better.
The nonce must be applied to the style node fragment. I don't know the internals. How the style node is generated/extracted. So is a hacky way for me at the moment.
Thank you!

[KingSora]

@g-stefan I've published v2.9.0 which includes this change :)

[g-stefan]

Tested. Works flawlessly!
Thank you!