CSP not working on Turbo Drive content load

[rocket-turtle]

Steps to Reproduce

• Create a new Rails app: $ rails new turbo_csp_problem
• Generate a simple controller: $ rails generate controller Pages home
• activate default content_security_policy
• Add javascript to demonstrate broken CSP - app/views/pages/home.html.erb

<a href="/">click</a>

<script>alert('broken CSP')</script>

<%= javascript_tag nonce: true do %>
  alert('alert with nonce')
<% end %>

https://github.com/rocket-turtle/turbo_csp_problem/commits/main/

Expected Behavior

The "injected" alert "broken CSP" is never shown

Actual Behavior

The "injected" alert "broken CSP" is shown after the link is clicked and the content is loaded via turbo drive.

System Configuration

turbo-rails-2.0.17
rails-8.0.3
ruby-3.3.8

---

I also posted this issue in the Turbo gem repository (hotwired/turbo#1431), but since no one has responded yet, I’m trying here as well.

[dari-us]

Seconded, I also replied to a similar Issue over on hotwired/turbo, but nobody responded.
What is the reasoning behind manually adding the Nonce to each <script> element anyway?

I get that for apps that generate a random Nonce for every response, we need a way to "cheat" the original document's Nonce in. But completely ignoring whether the original Nonce was valid in the first place (or even existed) is a security issue and defeats the purpose of CSP.

IMHO when adding the Nonces, Turbo should check the <script> element's original Nonce against the Nonce in the response header for that request and only set the correct Nonce if it matches.