CSP for Svelte 5 and runes
Svelte 5 doesn’t make CSP hard, but it does force you to be honest about how your app renders, hydrates, and injects code. That’s a good thing. If you’re building with Svelte 5 and runes, the CSP story is mostly about three things: avoiding inline script and style surprises handling nonces correctly for SSR not breaking hydration or third-party tooling Runes themselves don’t need special CSP directives. $state, $derived, and $effect are compile-time language features. CSP doesn’t care that you used runes. CSP cares whether the generated output includes inline JavaScript, inline styles, eval-like behavior, or external resources from origins you didn’t allow. ...