Streaming disables CSP silently

[vegardok]

Describe the bug

Using streaming disables the "built in" CSP support and this is not documented clearly (reading both the CSP and streaming doc). The workaround is to use my own CSP in a handle hook, but to support streaming I have to add script-src: 'unsafe-inline' which is undesirable. I was not able to find the nonce in the handle hook that is referenced in the doc.

Reproduction

https://github.com/vegardok/sveltekit-csp-and-streaming/commits/main/

Logs

No response

System Info

System:
    OS: macOS 14.3
    CPU: (10) arm64 Apple M2 Pro
    Memory: 295.05 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.9.0 - ~/.nvm/versions/node/v20.9.0/bin/node
    npm: 10.1.0 - ~/.nvm/versions/node/v20.9.0/bin/npm
    pnpm: 8.14.0 - ~/.nvm/versions/node/v20.9.0/bin/pnpm
  Browsers:
    Chrome: 121.0.6167.85
    Safari: 17.3
  npmPackages:
    @sveltejs/adapter-auto: ^3.0.0 => 3.1.1 
    @sveltejs/kit: ^2.0.0 => 2.5.0 
    @sveltejs/vite-plugin-svelte: ^3.0.0 => 3.0.2 
    svelte: ^4.2.7 => 4.2.9 
    vite: ^5.0.3 => 5.0.12

Severity

serious, but I can work around it

Additional Information

No response

[jamesbirtles]

Pretty sure i just ran into this too, looking at the code generated (at least for the cloudflare adapter) it doesn't use the headers object that it adds the csp header (among other things) to

Here the headers22 variable has the csp header in but doesn't get used as !chunks is evaluating to false and they aren't used in the else branch.