Disable nonce-based CSP in middleware

gandalf_automationrequested to merge
fix/disable-nonce-csp into develop

Summary

Disables nonce-based CSP because Next.js 14 doesn't fully support it.

Problem

The nonce-based CSP was causing violations:

  • script-src-elem violations for inline scripts
  • style-src-attr violations for inline style attributes

Root Cause

Next.js 14 doesn't automatically inject nonces into:

  • Internal scripts (__NEXT_DATA__, hydration scripts)
  • Inline style attributes don't support nonces at all (CSP spec limitation)

Solution

  • Remove nonce generation from middleware
  • Let the static CSP from next.config.js take effect
  • The static CSP uses 'unsafe-inline' which is compatible with Next.js

Related Issues

  • See #796 for tracking future nonce CSP support when Next.js improves

Test Plan

  • Verify CSP violations stop appearing in browser console
  • Verify CSP violations stop appearing in server logs
  • Deploy to staging and monitor

Merge request reports