Issue Station
Sign In
``` This causes CSP violations under `script-src-elem` when using a strict nonce-based policy. Expected: Those scripts should include the nonce parsed by Next from the request CSP: ```html ``` ### Suspected source `packages/next/src/server/app-render/create-component-styles-and-scripts.tsx` This currently emits: ```tsx createElement('script', { src: `${ctx.assetPrefix}/_next/${encodeURIPath(href)}${getAssetQueryString(ctx, true)}`, async: true, key: `script-${scriptIndex}`, }) ``` It should likely mirror `packages/next/src/server/app-render/get-layer-assets.tsx`, which already passes: ```tsx nonce: ctx.nonce ``` ### Related context This seems similar in class to previously fixed CSP nonce propagation gaps, for example #81999, but that patch covers `next/dynamic` preload chunks. This issue appears to be a separate App Router SSR component chunk script path.","inLanguage":"en-US","datePublished":"2026-05-17T11:49:09Z","dateModified":"2026-05-17T11:49:09Z","mainEntityOfPage":{"@type":"WebPage","@id":"https://www.stepcodex.com/en/issue/app-router-component-chunk-scripts-are"},"author":{"@type":"Organization","name":"StepCodex","url":"https://www.stepcodex.com"},"publisher":{"@type":"Organization","name":"StepCodex","url":"https://www.stepcodex.com"},"articleSection":"nextjs","about":[{"@type":"Thing","name":"nextjs","url":"https://www.stepcodex.com/en/category/nextjs"}],"keywords":"App Router component chunk scripts are missing CSP nonce, nextjs, how to fix, fix, troubleshooting, root cause, solution, StepCodex","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/LikeAction","userInteractionCount":0}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.stepcodex.com/en/issue"},{"@type":"ListItem","position":2,"name":"nextjs","item":"https://www.stepcodex.com/en/category/nextjs"},{"@type":"ListItem","position":3,"name":"App Router component chunk scripts are missing CSP nonce","item":"https://www.stepcodex.com/en/issue/app-router-component-chunk-scripts-are"}]}]
Tools hereToolbox

nextjs - 💡(How to fix) Fix App Router component chunk scripts are missing CSP nonce

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

Fix Action

Fix / Workaround

This seems similar in class to previously fixed CSP nonce propagation gaps, for example #81999, but that patch covers next/dynamic preload chunks. This issue appears to be a separate App Router SSR component chunk script path.

Code Example

<script src="/_next/static/chunks/..." async=""></script>

---

<script src="/_next/static/chunks/..." async="" nonce="..."></script>

---

createElement('script', {
  src: `${ctx.assetPrefix}/_next/${encodeURIPath(href)}${getAssetQueryString(ctx, true)}`,
  async: true,
  key: `script-${scriptIndex}`,
})

---

nonce: ctx.nonce
RAW_BUFFERClick to expand / collapse

Link to the code that reproduces this issue

I can provide a minimal reproduction if needed. We found this while debugging CSP report-only violations in a Next.js 16.1.6 App Router app.

To Reproduce

  1. Use App Router with CSP nonces as documented:
    • generate a per-request nonce in proxy/middleware
    • pass it through x-nonce
    • pass a request Content-Security-Policy header containing 'nonce-...'
    • set the same nonce in the response CSP
  2. Render a route that causes App Router to emit component JS chunks.
  3. Inspect the SSR HTML or CSP reports.

Current vs. Expected behavior

Current:

Some SSR-emitted component chunk scripts are rendered without a nonce:

<script src="/_next/static/chunks/..." async=""></script>

This causes CSP violations under script-src-elem when using a strict nonce-based policy.

Expected:

Those scripts should include the nonce parsed by Next from the request CSP:

<script src="/_next/static/chunks/..." async="" nonce="..."></script>

Suspected source

packages/next/src/server/app-render/create-component-styles-and-scripts.tsx

This currently emits:

createElement('script', {
  src: `${ctx.assetPrefix}/_next/${encodeURIPath(href)}${getAssetQueryString(ctx, true)}`,
  async: true,
  key: `script-${scriptIndex}`,
})

It should likely mirror packages/next/src/server/app-render/get-layer-assets.tsx, which already passes:

nonce: ctx.nonce

Related context

This seems similar in class to previously fixed CSP nonce propagation gaps, for example #81999, but that patch covers next/dynamic preload chunks. This issue appears to be a separate App Router SSR component chunk script path.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#ssr#chain error#conversation history#tool integration#LLM response

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

nextjs - 💡(How to fix) Fix App Router component chunk scripts are missing CSP nonce