fix: add CSP hashes/nonces to inline styles when using (#13232)

Author: Rich-Harris

.changeset/angry-geckos-dream.md

@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: add CSP hashes/nonces to inline styles when using `bundleStrategy: 'inline'`

packages/kit/src/runtime/server/page/csp.js

@@ -186,10 +186,6 @@ class BaseProvider {
 			this.#style_src.push(source);
 		}
 
-		if (this.#style_src_needs_csp) {
-			this.#style_src.push(source);
-		}
-
 		if (this.#style_src_attr_needs_csp) {
 			this.#style_src_attr.push(source);
 		}

packages/kit/src/runtime/server/page/render.js

@@ -228,19 +228,18 @@ export async function render_response({
 		return `${assets}/${path}`;
 	};
 
-	if (client.inline?.style) {
-		head += `\n\t<style>${client.inline.style}</style>`;
-	}
-
-	if (inline_styles.size > 0) {
-		const content = Array.from(inline_styles.values()).join('\n');
+	// inline styles can come from `bundleStrategy: 'inline'` or `inlineStyleThreshold`
+	const style = client.inline
+		? client.inline?.style
+		: Array.from(inline_styles.values()).join('\n');
 
+	if (style) {
 		const attributes = __SVELTEKIT_DEV__ ? [' data-sveltekit'] : [];
 		if (csp.style_needs_nonce) attributes.push(` nonce="${csp.nonce}"`);
 
-		csp.add_style(content);
+		csp.add_style(style);
 
-		head += `\n\t<style${attributes.join('')}>${content}</style>`;
+		head += `\n\t<style${attributes.join('')}>${style}</style>`;
 	}
 
 	for (const dep of stylesheets) {