docs: clarify cspNonce limitations in SPA deployments

[lodsa-ntos]

This PR clarifies the documentation about using html.cspNonce in Single Page Application (SPA) deployments.

The CSP specification only requires generating a unique nonce per HTML response. In a pure SPA, client-side navigations do not reload the HTML document, so the nonce is not rotated automatically after the initial load. This is not a spec violation, but in practice it means that nonce-based CSP requires either propagating the current nonce to dynamically created scripts or using strict-dynamic from a trusted bootstrap script.

For cases where per-navigation nonce rotation or policy changes are required, SSR or serving fresh HTML responses is recommended.

Fixes #20531

[sapphi-red]

the nonce meta tag will not be refreshed on subsequent requests. This means that enforcing CSP with nonces in a pure SPA deployment is not fully reliable.

Why does the nonce meta tag need to be refreshed on SPA navigations? The spec only says "If a server delivers a nonce-source expression as part of a policy, the server MUST generate a unique value each time it transmits a policy.". SPA navigations will not cause the server to re-send the policy. The spec does not say that the nonce should be re-generated for SPA navigations.

[lodsa-ntos]

Thanks for pointing that out 🙏 You're right, the spec requires the server to generate a new nonce on each response. My concern here is that in SPA deployments, after the initial response, subsequent navigations do not trigger new HTML responses, so scripts injected later (or dynamically created) cannot rely on a fresh nonce.

I’ll rephrase the note to make this clearer: it’s not that the spec requires re-generation on SPA navigations, but rather that SPAs don’t naturally provide new nonces after the initial load, which can weaken CSP enforcement in practice.

[sapphi-red]

scripts injected later (or dynamically created) cannot rely on a fresh nonce.

I don't find that to be a problem. Would you elaborate on why this is a problem and would weaken CSP enforcement?

[lodsa-ntos]

Thanks, fair point. To clarify: not getting a fresh nonce on SPA navigations is not a spec violation and isn’t a problem by itself. The issue is operational: after the initial load, any scripts you create at runtime must either (a) carry the current document’s nonce or (b) be allowed via strict-dynamic from a trusted bootstrap script. If a team doesn’t do one of these, they often relax the policy ('unsafe-inline', broad sources, etc.) to make runtime scripts work, that is what weakens enforcement in practice.

I’ll reword the note to reflect this: SPAs don’t rotate the nonce automatically, make sure to propagate the nonce (or use strict-dynamic). When you need per-navigation rotation or policy changes, serve a fresh HTML response (SSR or MPA).

I’ll update the doc text accordingly. 🙏

[sapphi-red]

after the initial load, any scripts you create at runtime must either ...

I don't think this is specific to SPAs. script tags can be injected in non-SPA sites.

If a team doesn’t do one of these, they often relax the policy ('unsafe-inline', broad sources, etc.) to make runtime scripts work, that is what weakens enforcement in practice.

Well, that's not something specific to Vite. We can link to a high quality article like https://web.dev/articles/strict-csp, but we should focus on Vite specific things in the document.

[lodsa-ntos]

Thanks 🙏 That makes sense. You're right, the CSP concerns about runtime script injection are not SPA-specific, and it's better to keep the Vite docs focused. I’ll simplify the note to highlight the limitation in SPAs and link out to the strict CSP article for further guidance.