Skip to content

[docs] Improve CSP guide with required directives#48258

Merged
Janpot merged 8 commits into
mui:masterfrom
Janpot:docs/improve-csp-guide
Apr 17, 2026
Merged

[docs] Improve CSP guide with required directives#48258
Janpot merged 8 commits into
mui:masterfrom
Janpot:docs/improve-csp-guide

Conversation

@Janpot
Copy link
Copy Markdown
Member

@Janpot Janpot commented Apr 10, 2026

Summary

  • Restructure the CSP guide around static vs. dynamic website setups
  • Add a "Required directives" section explaining style-src-elem, style-src-attr, and script-src
  • Clarify that style-src-attr 'unsafe-inline' is only needed for SSR (React's CSSOM API is CSP-safe in client-only apps)
  • Add static hosting guidance (nonces require a server)
  • Add "CSP is optional" callout

@Janpot
[docs] Improve CSP guide with required directives and static/dynamic …
5e632dd 
…distinction

Restructure the Content Security Policy guide to clearly explain:
- Which CSP directives Material UI requires and why
- The difference between static and dynamic website setups
- That style-src-attr 'unsafe-inline' is needed for SSR due to
  inline style attributes, but not for client-only apps
- That nonces require a server and can't be used with static hosting
@Janpot Janpot added the docs Improvements or additions to the documentation. label Apr 10, 2026
@mui-bot
Copy link
Copy Markdown

mui-bot commented Apr 10, 2026
edited
Loading

Netlify deploy preview

Bundle size report

Bundle Parsed size Gzip size
@mui/material 0B(0.00%) 0B(0.00%)
@mui/lab 0B(0.00%) 0B(0.00%)
@mui/system 0B(0.00%) 0B(0.00%)
@mui/utils 0B(0.00%) 0B(0.00%)

Details of bundle changes

Generated by 🚫 dangerJS against 44f2355

@Janpot Janpot marked this pull request as ready for review April 13, 2026 09:02
@Janpot Janpot requested a review from a team April 13, 2026 09:02
mj12albert
mj12albert reviewed Apr 16, 2026
View reviewed changes
Comment thread docs/data/material/guides/content-security-policy/content-security-policy.md
With a server, you can generate a unique nonce per request for tighter security. Material UI requires the following CSP directives:

- **`style-src-elem 'nonce-<base64>'`** — Material UI uses [Emotion](https://emotion.sh/) to inject `<style>` tags. Each tag needs a matching nonce.
- **`style-src-attr 'unsafe-inline'`** — Some components apply inline `style` attributes for dynamic values (CSS custom properties, dimensions, positioning).
Copy link
Copy Markdown
Member

@mj12albert mj12albert Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should mention here this is only needed for SSR and not CSR? (saw this is mentioned in the PR description but doesn't seem to be in the doc)

Copy link
Copy Markdown
Member Author

@Janpot Janpot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I renamed the title from "dynamic hosting" back to "Server-Side Rendering (SSR)"

@Janpot Janpot requested a review from mj12albert April 17, 2026 08:22
@Janpot Janpot merged commit 5d4a8f2 into mui:master Apr 17, 2026
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mj12albert mj12albert mj12albert approved these changes

Assignees

No one assigned

Labels

docs Improvements or additions to the documentation.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Janpot @mui-bot @mj12albert