CSP prevents Svelte’s hydratable injected <script> from running #15019
Description
Describe the bug
hydratable injects server-side values using a <script>, but with SvelteKit Content Security Policy enabled, without the appropriate hash, nonce, or unsafe-inline option, it cannot execute and server-side values cannot be read by the frontend client.
Reproduction
Logs
(index):3 Executing inline script violates the following Content Security Policy directive 'script-src 'self' 'nonce-9Z+y/qZQz/51/2yvKoZIWw==''. Either the 'unsafe-inline' keyword, a hash ('sha256-9VIfqMonp15xwF2wvp1RmHfbksUeX7jimMpejnf5jYk='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.
(index):382 Executing inline script violates the following Content Security Policy directive 'script-src 'self' 'nonce-9Z+y/qZQz/51/2yvKoZIWw==''. Either the 'unsafe-inline' keyword, a hash ('sha256-nnB+eZiQNF2jVji8SmSD3jIPOOM1myrH3heZuuwMTSM='), or a nonce ('nonce-...') is required to enable inline execution. The action has been blocked.
client.js?v=f4cdcbb5:373 Uncaught (in promise) Svelte error: hydratable_missing_but_required
Expected to find a hydratable with key `test` during hydration, but did not.
https://svelte.dev/e/hydratable_missing_but_required
in <unknown>
in +layout.svelte
in root.svelte
at hydratable_missing_but_required (chunk-FCEKZG5A.js?v=f4cdcbb5:363:19)
at hydratable (chunk-BNDFOET4.js?v=f4cdcbb5:2880:7)
at _page (+page.svelte:7:22)System Info
System:
OS: Linux 6.17 Debian GNU/Linux 13 (trixie) 13 (trixie)
CPU: (10) arm64 unknown
Memory: 748.19 MB / 6.83 GB
Container: Yes
Shell: 5.2.37 - /bin/bash
Binaries:
Node: 24.10.0 - /usr/local/bin/node
npm: 11.6.1 - /usr/local/bin/npm
pnpm: 10.24.0 - /usr/local/share/npm-global/bin/pnpm
npmPackages:
@sveltejs/kit: ^2.49.1 => 2.49.1
svelte: ^5.45.4 => 5.45.4
vite: ^7.2.6 => 7.2.6Severity
serious, but I can work around it
Additional Information
Workaround is to add unsafe-inline to the CSP "script-src" directives