The latest directions for how to use the Vercel Toolbar with a Content-Security-Policy-Header are here. However, this doesn’t work if you’re using a strict CSP policy which includes:
script-src 'nonce-<value>' 'strict-dynamic' https://vercel.live
Chrome displays the following error in this scenario:
Refused to load the script ‘https://vercel.live/_next-live/feedback/instrument.242aee9aec5e4e7f4f19.js’ because it violates the following Content Security Policy directive: “script-src ‘nonce-NDUxM2EyYWEtYTAwMi00ZDk2LWI4OGMtMDBlZjJkZDc0ODJm’ ‘strict-dynamic’ https://vercel.live”. Note that ‘strict-dynamic’ is present, so host-based allowlisting is disabled. Note that ‘script-src-elem’ was not explicitly set, so ‘script-src’ is used as a fallback.
How do I get the Vercel Toolbar to work with nonces in my NextJS application?