Strict CSPs require that any script tags that are created have a nonce attribute that specifies the same nonce included in the CSP header, to ensure all scripts that are loaded are trusted. Currently, Flutter is only compatible with the weaker strict-dynamic mode.

Flutter loads many scripts dynamically, e.g. flutter.js loads main.dart.js, and main.dart.js loads additional parts. And the engine loads canvaskit etc. It'd be great if the developer could pass flutter.js a nonce, and then Flutter could use that when loading all additional scripts. E.g.

_flutter.loader.loadEntrypoint({
          entrypointUrl: 'my_app/main.dart.js',
          nonce: my_nonce,
          onEntrypointLoaded: function(engineInitializer) {
            engineInitializer.initializeEngine().then(function(appRunner) {
              appRunner.runApp();
            });
          }
        });

It's worth considering if Flutter can automatically find the right nonce to use somehow e.g. there are approaches internally that copy the nonce from other script tags in the DOM. Overall, though, I think adding it as an explicit parameter passed by the app developer seems less likely to cause breakages and confusion.

This is not blocking anyone at the moment, but it likely will eventually when an app that is already using a strict CSP wants to integrate Flutter without accepting a security regression.

See internal bug b/274360267 for more details.