Add support for FUOC prevention script generation as string for injection in hooks.server.ts

[fnimick]

Describe the feature in detail (code, mocks, or screenshots encouraged)

Per Svelte team, a potential way to handle adding library scripts to the initial page load <head> is to add a script block with nonce="%sveltekit.nonce%" in your app.html, then inject the library content into that script block in a server hook for rendering. This would avoid the need to manually manipulate CSP response headers to keep a generated nonce in sync with the mode watcher nonce prop, as suggested in #86

It would be great to provide a function that would generate and return the script content as a string for use in such a way. (and also add a prop to disable the addition of the FOUC prevention script in svelte:head in this case, since it will already be added through a hook)

What type of pull request would this be?

Enhancement

Provide relevant links or additional information.

I already took a first pass at this in #89

[jasongitmail]

Great find! This might solve the issue of SvelteKit's CSP rules clobbering mode-watcher's inline hash. I've had to choose between living with FOUC or disabling script-src rules (security issue) due to this.

[fnimick]

Usage example in hooks.server.ts:

const injectHeadScripts: Handle = async ({ event, resolve }) => {
  return resolve(event, {
    transformPageChunk: ({ html }) => {
      return html.replace("%modewatcher.snippet%", generateSetInitialModeExpression({}));
    },
  });
};

export const handle = sequence(
  injectHeadScripts,
  // .....
);

[ithan]

Hello guys! I see that @fnimick made a pull request for this ( #89 ) and I'm wondering if there is any ETA for a release?

I'm having this issue as well, and I don't want to disable the script-src rule 😞

[huntabyte]

Working on it! Testing some ideas around a ModeWatcherLite which would omit the script tag and then provide helpers for handling it in the hook!