[Bug]: CSP inline style error even when noonce is provided

[ryparker]

What happened?

When wrapping layout with the ThemeProvider and a noonce provided, and a strict CSP style-src, then I receive the following error in console:

layout-5770ccc27b841829.js:1 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-YjZlNzFjOTItYjNlYy00MTBhLWJjODAtZDE3N2VlOWY2Y2Yz'". Either the 'unsafe-inline' keyword, a hash ('sha256-GNF74DLkXb0fH3ILHgILFjk1ozCF3SNXQ5mQb7WLu/Y='), or a nonce ('nonce-...') is required to enable inline execution.

The error references the following code:

, f = ()=>{
            let e = document.createElement("style");
            return e.appendChild(document.createTextNode("*{-webkit-transition:none!important;-moz-transition:none!important;-o-transition:none!important;-ms-transition:none!important;transition:none!important}")),
            document.head.appendChild(e),  <--- Error line
            ()=>{
                window.getComputedStyle(document.body),
                setTimeout(()=>{
                    document.head.removeChild(e)
                }
                , 1)
            }
        }
          , h = e=>(e || (e = window.matchMedia(a)),
        e.matches ? "dark" : "light")

document.head.appendChild(e), is the referenced error line.

Tested it on a production build of a nextjs (v14.2.4 w/ app dir) app, error logs twice in console (duplicates). Page only renders the provider, nothing else.

Browser: Brave

Version

0.3.0

What browsers are you seeing the problem on?

Chrome (brave)

[BaDo2001]

+1