Add nonceStyleSrcElem() to complete nonce support on element directives

claude · claude · commit e131ba9df9fc · 2026-06-15T04:59:11.000Z
A nonce is valid on the four element directives (script-src, script-src-elem,
style-src, style-src-elem) per CSP3. Added the style-src-elem counterpart of
nonceScriptSrcElem(). No nonce helper for the -attr directives: a nonce matches
elements, not inline event handlers or style attributes, so it could never apply
there. No sha helpers for the granular directives - the generic add() attaches
precomputed hashes and the -attr hashes need 'unsafe-hashes' to apply.
diff --git a/modules/web/web-api/src/main/java/com/enonic/xp/web/csp/ContentSecurityPolicy.java b/modules/web/web-api/src/main/java/com/enonic/xp/web/csp/ContentSecurityPolicy.java
@@ -87,6 +87,8 @@ public final class ContentSecurityPolicy
 
     private static final String STYLE_SRC = "style-src";
 
+    private static final String STYLE_SRC_ELEM = "style-src-elem";
+
     private static final String NONE = "'none'";
 
     private static final String NONCE_SOURCE_PREFIX = "'nonce-";
@@ -641,6 +643,16 @@ public String nonceStyleSrc()
         return nonceFor( STYLE_SRC );
     }
 
+    /**
+     * Wires the request nonce into {@code style-src-elem} and returns its value (for stamping on a
+     * {@code <style nonce="...">} element that must satisfy a page whose {@code style-src-elem} uses
+     * {@code 'strict-dynamic'}). A nonce is valid on {@code style-src-elem} per CSP Level 3.
+     */
+    public String nonceStyleSrcElem()
+    {
+        return nonceFor( STYLE_SRC_ELEM );
+    }
+
     /**
      * The nonce is a cryptographically random, base64-encoded value (≥ 128 bits of entropy). Every
      * {@code nonce*} call returns the same value for the life of this policy instance (= life of
diff --git a/modules/web/web-api/src/test/java/com/enonic/xp/web/csp/ContentSecurityPolicyTest.java b/modules/web/web-api/src/test/java/com/enonic/xp/web/csp/ContentSecurityPolicyTest.java
@@ -843,6 +843,15 @@ void nonceScriptSrcElem_wires_the_request_nonce_into_script_src_elem()
         assertThat( csp.nonceScriptSrc() ).isEqualTo( nonce );
     }
 
+    @Test
+    void nonceStyleSrcElem_wires_the_request_nonce_into_style_src_elem()
+    {
+        final ContentSecurityPolicy csp = new ContentSecurityPolicy();
+        final String nonce = csp.nonceStyleSrcElem();
+        assertThat( csp.serialize() ).isEqualTo( "style-src-elem 'nonce-" + nonce + "'" );
+        assertThat( csp.nonceStyleSrc() ).isEqualTo( nonce );
+    }
+
     @Test
     void resetTo_parses_comma_separated_policies_and_round_trips()
     {
