fix csp issue for mts realm

.changeset/thin-streets-rule.md

@@ -0,0 +1,5 @@
+---
+"@lynx-js/web-core": patch
+---
+
+fix csp issue for mts realm

packages/web-platform/web-core/src/uiThread/createRenderAllOnUI.ts

@@ -25,7 +25,8 @@ import type { StartUIThreadCallbacks } from './startUIThread.js';
 const existingScript = document.querySelector('script[nonce]') as
   | HTMLScriptElement
   | null;
-const nonce = existingScript?.nonce || existingScript?.getAttribute('nonce');
+const nonce = existingScript?.nonce || existingScript?.getAttribute('nonce')
+  || '';
 
 const {
   prepareMainThreadAPIs,
@@ -57,7 +58,7 @@ async function createIFrameRealm(parent: Node): Promise<JSRealm> {
   });
   iframe.style.display = 'none';
   iframe.srcdoc =
-    '<!DOCTYPE html><html><head><script>parent.postMessage("lynx:mtsready","*")</script></head><body style="display:none"></body></html>';
+    `<!DOCTYPE html><html><head><script nonce="${nonce}">parent.postMessage("lynx:mtsready","*")</script></head><body style="display:none"></body></html>`;
   iframe.sandbox = 'allow-same-origin allow-scripts'; // Restrict capabilities for security
   iframe.loading = 'eager';
   parent.appendChild(iframe);
@@ -68,7 +69,7 @@ async function createIFrameRealm(parent: Node): Promise<JSRealm> {
     script.fetchPriority = 'high';
     script.defer = true;
     script.async = false;
-    script.nonce = nonce || '';
+    script.nonce = nonce;
     iframe.contentDocument!.head.appendChild(script);
     return new Promise(async (resolve, reject) => {
       script.onload = () => {
@@ -90,6 +91,7 @@ async function createIFrameRealm(parent: Node): Promise<JSRealm> {
     xhr.send(null);
     if (xhr.status === 200) {
       const script = iframe.contentDocument!.createElement('script');
+      script.nonce = nonce;
       script.textContent = xhr.responseText;
       // @ts-expect-error
       iframeWindow.module = { exports: undefined };