I need to add Content Security Policy headers to an existing Laravel installation and am using Spatie's package (https://github.com/spatie/laravel-csp) for the PHP side of things.

However there are several vendor JS packages/components in node_modules that are used by the app that violate the base CSP policies by dynamically creating CSS style tags in the DOM.

For CSP to allow style tags they have to have a nonce attribute applied which matches the nonce value in the http response headers. The headers nonce value is generated per request by the Spatie package and is a randomised string value.

So is there a way to get vendor npm modules to use a nonce value and how would that be achieved? As far as I can tell there doesn't seem to be a way for mix to add the capability of adding a dynamic nonce to all generated script tags in the compiled app.js...

Does anyone have any ideas/pointers on how to achieve this?

Thanks Rich