From 83afd3e67a48f456408e52310848a4bade0ba83b Mon Sep 17 00:00:00 2001
From: Charly Gomez <charly.gomez@sentry.io>
Date: Tue, 6 Aug 2024 10:03:56 +0200
Subject: [PATCH 1/7] test: add integration test that uses csp

---
 .../suites/feedback/csp-nonce/init.js         |  19 +++
 .../suites/feedback/csp-nonce/template.html   |  10 ++
 .../suites/feedback/csp-nonce/test.ts         | 119 ++++++++++++++++++
 3 files changed, 148 insertions(+)
 create mode 100644 dev-packages/browser-integration-tests/suites/feedback/csp-nonce/init.js
 create mode 100644 dev-packages/browser-integration-tests/suites/feedback/csp-nonce/template.html
 create mode 100644 dev-packages/browser-integration-tests/suites/feedback/csp-nonce/test.ts

diff --git a/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/init.js b/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/init.js
new file mode 100644
index 000000000000..576e213e8de9
--- /dev/null
+++ b/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/init.js
@@ -0,0 +1,19 @@
+import * as Sentry from '@sentry/browser';
+// Import this separately so that generatePlugin can handle it for CDN scenarios
+import { feedbackIntegration } from '@sentry/browser';
+
+window.Sentry = Sentry;
+
+Sentry.init({
+  dsn: 'https://public@dsn.ingest.sentry.io/1337',
+  replaysOnErrorSampleRate: 1.0,
+  replaysSessionSampleRate: 1.0,
+  integrations: [Sentry.replayIntegration(), feedbackIntegration()],
+});
+
+document.addEventListener('securitypolicyviolation', () => {
+  const container = document.querySelector('#csp-violation');
+  if (container) {
+    container.innerText = 'CSP Violation';
+  }
+});
diff --git a/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/template.html b/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/template.html
new file mode 100644
index 000000000000..842369a489f8
--- /dev/null
+++ b/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/template.html
@@ -0,0 +1,10 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <meta http-equiv="Content-Security-Policy" content="style-src 'nonce-foo1234';" />
+  </head>
+  <body>
+    <div id="csp-violation" />
+  </body>
+</html>
diff --git a/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/test.ts b/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/test.ts
new file mode 100644
index 000000000000..3f1003d24fa4
--- /dev/null
+++ b/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/test.ts
@@ -0,0 +1,119 @@
+import { expect } from '@playwright/test';
+
+import { TEST_HOST, sentryTest } from '../../../utils/fixtures';
+import { envelopeRequestParser, getEnvelopeType, shouldSkipFeedbackTest } from '../../../utils/helpers';
+import {
+  collectReplayRequests,
+  getReplayBreadcrumbs,
+  shouldSkipReplayTest,
+  waitForReplayRequest,
+} from '../../../utils/replayHelpers';
+
+sentryTest('should not log CSP errors', async ({ forceFlushReplay, getLocalTestUrl, page }) => {
+  if (shouldSkipFeedbackTest() || shouldSkipReplayTest()) {
+    sentryTest.skip();
+  }
+
+  const reqPromise0 = waitForReplayRequest(page, 0);
+
+  const feedbackRequestPromise = page.waitForResponse(res => {
+    const req = res.request();
+
+    const postData = req.postData();
+    if (!postData) {
+      return false;
+    }
+
+    try {
+      return getEnvelopeType(req) === 'feedback';
+    } catch (err) {
+      return false;
+    }
+  });
+
+  await page.route('https://dsn.ingest.sentry.io/**/*', route => {
+    return route.fulfill({
+      status: 200,
+      contentType: 'application/json',
+      body: JSON.stringify({ id: 'test-id' }),
+    });
+  });
+
+  const url = await getLocalTestUrl({ testDir: __dirname });
+
+  await Promise.all([page.goto(url), page.getByText('Report a Bug').click(), reqPromise0]);
+
+  const replayRequestPromise = collectReplayRequests(page, recordingEvents => {
+    return getReplayBreadcrumbs(recordingEvents).some(breadcrumb => breadcrumb.category === 'sentry.feedback');
+  });
+
+  // Inputs are slow, these need to be serial
+  await page.locator('[name="name"]').fill('Jane Doe');
+  await page.locator('[name="email"]').fill('janedoe@example.org');
+  await page.locator('[name="message"]').fill('my example feedback');
+
+  // Force flush here, as inputs are slow and can cause click event to be in unpredictable segments
+  await Promise.all([forceFlushReplay()]);
+
+  const [, feedbackResp] = await Promise.all([
+    page.locator('[data-sentry-feedback] .btn--primary').click(),
+    feedbackRequestPromise,
+  ]);
+
+  const { replayEvents, replayRecordingSnapshots } = await replayRequestPromise;
+  const breadcrumbs = getReplayBreadcrumbs(replayRecordingSnapshots);
+
+  const replayEvent = replayEvents[0];
+  const feedbackEvent = envelopeRequestParser(feedbackResp.request());
+
+  expect(breadcrumbs).toEqual(
+    expect.arrayContaining([
+      expect.objectContaining({
+        category: 'sentry.feedback',
+        data: { feedbackId: expect.any(String) },
+        timestamp: expect.any(Number),
+        type: 'default',
+      }),
+    ]),
+  );
+
+  expect(feedbackEvent).toEqual({
+    type: 'feedback',
+    breadcrumbs: expect.any(Array),
+    contexts: {
+      feedback: {
+        contact_email: 'janedoe@example.org',
+        message: 'my example feedback',
+        name: 'Jane Doe',
+        replay_id: replayEvent.event_id,
+        source: 'widget',
+        url: `${TEST_HOST}/index.html`,
+      },
+      trace: {
+        trace_id: expect.stringMatching(/\w{32}/),
+        span_id: expect.stringMatching(/\w{16}/),
+      },
+    },
+    level: 'info',
+    tags: {},
+    timestamp: expect.any(Number),
+    event_id: expect.stringMatching(/\w{32}/),
+    environment: 'production',
+    sdk: {
+      integrations: expect.arrayContaining(['Feedback']),
+      version: expect.any(String),
+      name: 'sentry.javascript.browser',
+      packages: expect.anything(),
+    },
+    request: {
+      url: `${TEST_HOST}/index.html`,
+      headers: {
+        'User-Agent': expect.stringContaining(''),
+      },
+    },
+    platform: 'javascript',
+  });
+
+  const cspContainer = await page.locator('#csp-violation');
+  expect(cspContainer).not.toContainText('CSP Violation');
+});

From 9f54dbb0742b32d1c2169f79efccc0fdfcfa9a75 Mon Sep 17 00:00:00 2001
From: Charly Gomez <charly.gomez@sentry.io>
Date: Tue, 6 Aug 2024 13:56:16 +0200
Subject: [PATCH 2/7] feat: add nonce to replay integration

---
 packages/browser/src/utils/lazyLoadIntegration.ts |  5 +++++
 packages/feedback/src/core/createMainStyles.ts    | 11 ++++++++++-
 packages/feedback/src/core/integration.ts         |  2 ++
 packages/types/src/feedback/config.ts             |  5 +++++
 packages/types/src/options.ts                     |  5 +++++
 5 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/packages/browser/src/utils/lazyLoadIntegration.ts b/packages/browser/src/utils/lazyLoadIntegration.ts
index 4479c2e69590..3d69203dfef0 100644
--- a/packages/browser/src/utils/lazyLoadIntegration.ts
+++ b/packages/browser/src/utils/lazyLoadIntegration.ts
@@ -33,6 +33,8 @@ const WindowWithMaybeIntegration = WINDOW as {
  */
 export async function lazyLoadIntegration(name: keyof typeof LazyLoadableIntegrations): Promise<IntegrationFn> {
   const bundle = LazyLoadableIntegrations[name];
+  const client = getClient();
+  const nonce = client && client.getOptions().nonce;
 
   // `window.Sentry` is only set when using a CDN bundle, but this method can also be used via the NPM package
   const sentryOnWindow = (WindowWithMaybeIntegration.Sentry = WindowWithMaybeIntegration.Sentry || {});
@@ -52,6 +54,9 @@ export async function lazyLoadIntegration(name: keyof typeof LazyLoadableIntegra
   script.src = url;
   script.crossOrigin = 'anonymous';
   script.referrerPolicy = 'origin';
+  if (nonce) {
+    script.nonce = nonce;
+  }
 
   const waitForLoad = new Promise<void>((resolve, reject) => {
     script.addEventListener('load', () => resolve());
diff --git a/packages/feedback/src/core/createMainStyles.ts b/packages/feedback/src/core/createMainStyles.ts
index 68ac751b8584..bed88d67a324 100644
--- a/packages/feedback/src/core/createMainStyles.ts
+++ b/packages/feedback/src/core/createMainStyles.ts
@@ -51,7 +51,12 @@ function getThemedCssVariables(theme: InternalTheme): string {
 /**
  * Creates <style> element for widget actor (button that opens the dialog)
  */
-export function createMainStyles({ colorScheme, themeDark, themeLight }: FeedbackInternalOptions): HTMLStyleElement {
+export function createMainStyles({
+  colorScheme,
+  themeDark,
+  themeLight,
+  nonce,
+}: FeedbackInternalOptions): HTMLStyleElement {
   const style = DOCUMENT.createElement('style');
   style.textContent = `
 :host {
@@ -86,5 +91,9 @@ ${
 }
 `;
 
+  if (nonce) {
+    style.nonce = nonce;
+  }
+
   return style;
 }
diff --git a/packages/feedback/src/core/integration.ts b/packages/feedback/src/core/integration.ts
index 888461c9a6bf..f4583d0f8843 100644
--- a/packages/feedback/src/core/integration.ts
+++ b/packages/feedback/src/core/integration.ts
@@ -77,6 +77,7 @@ export const buildFeedbackIntegration = ({
       name: 'username',
     },
     tags,
+    nonce,
 
     // FeedbackThemeConfiguration
     colorScheme = 'system',
@@ -119,6 +120,7 @@ export const buildFeedbackIntegration = ({
       enableScreenshot,
       useSentryUser,
       tags,
+      nonce,
 
       colorScheme,
       themeDark,
diff --git a/packages/types/src/feedback/config.ts b/packages/types/src/feedback/config.ts
index 977bf6ef7640..3b5ef5c9fb89 100644
--- a/packages/types/src/feedback/config.ts
+++ b/packages/types/src/feedback/config.ts
@@ -61,6 +61,11 @@ export interface FeedbackGeneralConfiguration {
    * Set an object that will be merged sent as tags data with the event.
    */
   tags?: { [key: string]: Primitive };
+
+  /**
+   * Set a nonce to be passed to the injected <style> tag for enforcing CSP
+   */
+  nonce?: string;
 }
 
 /**
diff --git a/packages/types/src/options.ts b/packages/types/src/options.ts
index 5179c1fdb70e..efd24753df4c 100644
--- a/packages/types/src/options.ts
+++ b/packages/types/src/options.ts
@@ -326,6 +326,11 @@ export interface ClientOptions<TO extends BaseTransportOptions = BaseTransportOp
    * @returns The breadcrumb that will be added | null.
    */
   beforeBreadcrumb?: (breadcrumb: Breadcrumb, hint?: BreadcrumbHint) => Breadcrumb | null;
+
+  /**
+   * A nonce that is passed to injected script and style tags for enforcing CSPs
+   */
+  nonce?: string;
 }
 
 /** Base configuration options for every SDK. */

From f6e54968fb42338027c7677b2c8e4e49dbfa7591 Mon Sep 17 00:00:00 2001
From: Charly Gomez <charly.gomez@sentry.io>
Date: Tue, 6 Aug 2024 14:54:44 +0200
Subject: [PATCH 3/7] feat: pass nonces to feedback directly

---
 packages/browser/src/utils/lazyLoadIntegration.ts | 11 ++++++-----
 packages/feedback/src/core/createMainStyles.ts    |  6 +++---
 packages/feedback/src/core/integration.ts         |  4 ++--
 packages/types/src/feedback/config.ts             |  2 +-
 packages/types/src/options.ts                     |  5 -----
 5 files changed, 12 insertions(+), 16 deletions(-)

diff --git a/packages/browser/src/utils/lazyLoadIntegration.ts b/packages/browser/src/utils/lazyLoadIntegration.ts
index 3d69203dfef0..e8c75f9476d0 100644
--- a/packages/browser/src/utils/lazyLoadIntegration.ts
+++ b/packages/browser/src/utils/lazyLoadIntegration.ts
@@ -31,10 +31,11 @@ const WindowWithMaybeIntegration = WINDOW as {
  * Lazy load an integration from the CDN.
  * Rejects if the integration cannot be loaded.
  */
-export async function lazyLoadIntegration(name: keyof typeof LazyLoadableIntegrations): Promise<IntegrationFn> {
+export async function lazyLoadIntegration(
+  name: keyof typeof LazyLoadableIntegrations,
+  scriptNonce?: string,
+): Promise<IntegrationFn> {
   const bundle = LazyLoadableIntegrations[name];
-  const client = getClient();
-  const nonce = client && client.getOptions().nonce;
 
   // `window.Sentry` is only set when using a CDN bundle, but this method can also be used via the NPM package
   const sentryOnWindow = (WindowWithMaybeIntegration.Sentry = WindowWithMaybeIntegration.Sentry || {});
@@ -54,8 +55,8 @@ export async function lazyLoadIntegration(name: keyof typeof LazyLoadableIntegra
   script.src = url;
   script.crossOrigin = 'anonymous';
   script.referrerPolicy = 'origin';
-  if (nonce) {
-    script.nonce = nonce;
+  if (scriptNonce) {
+    script.nonce = scriptNonce;
   }
 
   const waitForLoad = new Promise<void>((resolve, reject) => {
diff --git a/packages/feedback/src/core/createMainStyles.ts b/packages/feedback/src/core/createMainStyles.ts
index bed88d67a324..cfe50213d8c7 100644
--- a/packages/feedback/src/core/createMainStyles.ts
+++ b/packages/feedback/src/core/createMainStyles.ts
@@ -55,7 +55,7 @@ export function createMainStyles({
   colorScheme,
   themeDark,
   themeLight,
-  nonce,
+  styleNonce,
 }: FeedbackInternalOptions): HTMLStyleElement {
   const style = DOCUMENT.createElement('style');
   style.textContent = `
@@ -91,8 +91,8 @@ ${
 }
 `;
 
-  if (nonce) {
-    style.nonce = nonce;
+  if (styleNonce) {
+    style.nonce = styleNonce;
   }
 
   return style;
diff --git a/packages/feedback/src/core/integration.ts b/packages/feedback/src/core/integration.ts
index f4583d0f8843..b9d6b4fb3332 100644
--- a/packages/feedback/src/core/integration.ts
+++ b/packages/feedback/src/core/integration.ts
@@ -77,7 +77,7 @@ export const buildFeedbackIntegration = ({
       name: 'username',
     },
     tags,
-    nonce,
+    styleNonce,
 
     // FeedbackThemeConfiguration
     colorScheme = 'system',
@@ -120,7 +120,7 @@ export const buildFeedbackIntegration = ({
       enableScreenshot,
       useSentryUser,
       tags,
-      nonce,
+      styleNonce,
 
       colorScheme,
       themeDark,
diff --git a/packages/types/src/feedback/config.ts b/packages/types/src/feedback/config.ts
index 3b5ef5c9fb89..8c0106efb0ad 100644
--- a/packages/types/src/feedback/config.ts
+++ b/packages/types/src/feedback/config.ts
@@ -65,7 +65,7 @@ export interface FeedbackGeneralConfiguration {
   /**
    * Set a nonce to be passed to the injected <style> tag for enforcing CSP
    */
-  nonce?: string;
+  styleNonce?: string;
 }
 
 /**
diff --git a/packages/types/src/options.ts b/packages/types/src/options.ts
index efd24753df4c..5179c1fdb70e 100644
--- a/packages/types/src/options.ts
+++ b/packages/types/src/options.ts
@@ -326,11 +326,6 @@ export interface ClientOptions<TO extends BaseTransportOptions = BaseTransportOp
    * @returns The breadcrumb that will be added | null.
    */
   beforeBreadcrumb?: (breadcrumb: Breadcrumb, hint?: BreadcrumbHint) => Breadcrumb | null;
-
-  /**
-   * A nonce that is passed to injected script and style tags for enforcing CSPs
-   */
-  nonce?: string;
 }
 
 /** Base configuration options for every SDK. */

From 275b9dc9c3f25e664ed8db7dba88383194b213a1 Mon Sep 17 00:00:00 2001
From: Charly Gomez <charly.gomez@sentry.io>
Date: Tue, 13 Aug 2024 10:36:45 +0200
Subject: [PATCH 4/7] feat: Add nonce to feedback related style tags

---
 packages/feedback/src/core/components/Actor.css.ts          | 6 +++++-
 packages/feedback/src/core/components/Actor.ts              | 5 +++--
 packages/feedback/src/core/createMainStyles.ts              | 2 +-
 packages/feedback/src/core/integration.ts                   | 1 +
 packages/feedback/src/modal/components/Dialog.css.ts        | 6 +++++-
 packages/feedback/src/modal/integration.tsx                 | 2 +-
 .../feedback/src/screenshot/components/ScreenshotEditor.tsx | 4 ++--
 .../src/screenshot/components/ScreenshotInput.css.ts        | 6 +++++-
 8 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/packages/feedback/src/core/components/Actor.css.ts b/packages/feedback/src/core/components/Actor.css.ts
index 60ae7cebd08e..8a8b2c4efa29 100644
--- a/packages/feedback/src/core/components/Actor.css.ts
+++ b/packages/feedback/src/core/components/Actor.css.ts
@@ -3,7 +3,7 @@ import { DOCUMENT } from '../../constants';
 /**
  * Creates <style> element for widget actor (button that opens the dialog)
  */
-export function createActorStyles(): HTMLStyleElement {
+export function createActorStyles(styleNonce?: string): HTMLStyleElement {
   const style = DOCUMENT.createElement('style');
   style.textContent = `
 .widget__actor {
@@ -58,5 +58,9 @@ export function createActorStyles(): HTMLStyleElement {
 }
 `;
 
+  if (styleNonce) {
+    style.setAttribute('nonce', styleNonce);
+  }
+
   return style;
 }
diff --git a/packages/feedback/src/core/components/Actor.ts b/packages/feedback/src/core/components/Actor.ts
index f31da8612a9f..3ba04e85ddd1 100644
--- a/packages/feedback/src/core/components/Actor.ts
+++ b/packages/feedback/src/core/components/Actor.ts
@@ -6,6 +6,7 @@ export interface ActorProps {
   triggerLabel: string;
   triggerAriaLabel: string;
   shadow: ShadowRoot;
+  styleNonce?: string;
 }
 
 export interface ActorComponent {
@@ -23,7 +24,7 @@ export interface ActorComponent {
 /**
  * The sentry-provided button to open the feedback modal
  */
-export function Actor({ triggerLabel, triggerAriaLabel, shadow }: ActorProps): ActorComponent {
+export function Actor({ triggerLabel, triggerAriaLabel, shadow, styleNonce }: ActorProps): ActorComponent {
   const el = DOCUMENT.createElement('button');
   el.type = 'button';
   el.className = 'widget__actor';
@@ -36,7 +37,7 @@ export function Actor({ triggerLabel, triggerAriaLabel, shadow }: ActorProps): A
     el.appendChild(label);
   }
 
-  const style = createActorStyles();
+  const style = createActorStyles(styleNonce);
 
   return {
     el,
diff --git a/packages/feedback/src/core/createMainStyles.ts b/packages/feedback/src/core/createMainStyles.ts
index cfe50213d8c7..7c2b995274fc 100644
--- a/packages/feedback/src/core/createMainStyles.ts
+++ b/packages/feedback/src/core/createMainStyles.ts
@@ -92,7 +92,7 @@ ${
 `;
 
   if (styleNonce) {
-    style.nonce = styleNonce;
+    style.setAttribute('nonce', styleNonce);
   }
 
   return style;
diff --git a/packages/feedback/src/core/integration.ts b/packages/feedback/src/core/integration.ts
index b9d6b4fb3332..7a94ce6ea2d7 100644
--- a/packages/feedback/src/core/integration.ts
+++ b/packages/feedback/src/core/integration.ts
@@ -274,6 +274,7 @@ export const buildFeedbackIntegration = ({
         triggerLabel: mergedOptions.triggerLabel,
         triggerAriaLabel: mergedOptions.triggerAriaLabel,
         shadow,
+        styleNonce,
       });
       _attachTo(actor.el, {
         ...mergedOptions,
diff --git a/packages/feedback/src/modal/components/Dialog.css.ts b/packages/feedback/src/modal/components/Dialog.css.ts
index 48e2a05716c2..576044578247 100644
--- a/packages/feedback/src/modal/components/Dialog.css.ts
+++ b/packages/feedback/src/modal/components/Dialog.css.ts
@@ -273,7 +273,7 @@ const SUCCESS = `
 /**
  * Creates <style> element for widget dialog
  */
-export function createDialogStyles(): HTMLStyleElement {
+export function createDialogStyles(styleNonce?: string): HTMLStyleElement {
   const style = DOCUMENT.createElement('style');
 
   style.textContent = `
@@ -288,5 +288,9 @@ ${BUTTON}
 ${SUCCESS}
 `;
 
+  if (styleNonce) {
+    style.setAttribute('nonce', styleNonce);
+  }
+
   return style;
 }
diff --git a/packages/feedback/src/modal/integration.tsx b/packages/feedback/src/modal/integration.tsx
index ab0b6418b8cd..25a782db1237 100644
--- a/packages/feedback/src/modal/integration.tsx
+++ b/packages/feedback/src/modal/integration.tsx
@@ -30,7 +30,7 @@ export const feedbackModalIntegration = ((): FeedbackModalIntegration => {
       const user = getUser();
 
       const el = DOCUMENT.createElement('div');
-      const style = createDialogStyles();
+      const style = createDialogStyles(options.styleNonce);
 
       let originalOverflow = '';
       const dialog: ReturnType<FeedbackModalIntegration['createDialog']> = {
diff --git a/packages/feedback/src/screenshot/components/ScreenshotEditor.tsx b/packages/feedback/src/screenshot/components/ScreenshotEditor.tsx
index 32a69a722c48..11e49c9692ae 100644
--- a/packages/feedback/src/screenshot/components/ScreenshotEditor.tsx
+++ b/packages/feedback/src/screenshot/components/ScreenshotEditor.tsx
@@ -74,7 +74,7 @@ export function ScreenshotEditorFactory({
   const useTakeScreenshot = useTakeScreenshotFactory({ hooks });
 
   return function ScreenshotEditor({ onError }: Props): VNode {
-    const styles = hooks.useMemo(() => ({ __html: createScreenshotInputStyles().innerText }), []);
+    const styles = hooks.useMemo(() => ({ __html: createScreenshotInputStyles(options.styleNonce).innerText }), []);
     const CropCorner = CropCornerFactory({ h });
 
     const canvasContainerRef = hooks.useRef<HTMLDivElement>(null);
@@ -313,7 +313,7 @@ export function ScreenshotEditorFactory({
 
     return (
       <div class="editor">
-        <style dangerouslySetInnerHTML={styles} />
+        <style nonce={options.styleNonce} dangerouslySetInnerHTML={styles} />
         <div class="editor__canvas-container" ref={canvasContainerRef}>
           <div class="editor__crop-container" style={{ position: 'absolute', zIndex: 1 }} ref={cropContainerRef}>
             <canvas
diff --git a/packages/feedback/src/screenshot/components/ScreenshotInput.css.ts b/packages/feedback/src/screenshot/components/ScreenshotInput.css.ts
index d87293ad3fbe..ae7eaefba86b 100644
--- a/packages/feedback/src/screenshot/components/ScreenshotInput.css.ts
+++ b/packages/feedback/src/screenshot/components/ScreenshotInput.css.ts
@@ -3,7 +3,7 @@ import { DOCUMENT } from '../../constants';
 /**
  * Creates <style> element for widget dialog
  */
-export function createScreenshotInputStyles(): HTMLStyleElement {
+export function createScreenshotInputStyles(styleNonce?: string): HTMLStyleElement {
   const style = DOCUMENT.createElement('style');
 
   const surface200 = '#1A141F';
@@ -86,5 +86,9 @@ export function createScreenshotInputStyles(): HTMLStyleElement {
 }
 `;
 
+  if (styleNonce) {
+    style.setAttribute('nonce', styleNonce);
+  }
+
   return style;
 }

From 9fe2cd59a91689efa73a59f049738df5c6daf0c2 Mon Sep 17 00:00:00 2001
From: Charly Gomez <charly.gomez@sentry.io>
Date: Tue, 13 Aug 2024 10:59:04 +0200
Subject: [PATCH 5/7] fix: set nonce with method

---
 packages/browser/src/utils/lazyLoadIntegration.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/browser/src/utils/lazyLoadIntegration.ts b/packages/browser/src/utils/lazyLoadIntegration.ts
index e8c75f9476d0..33720541165b 100644
--- a/packages/browser/src/utils/lazyLoadIntegration.ts
+++ b/packages/browser/src/utils/lazyLoadIntegration.ts
@@ -56,7 +56,7 @@ export async function lazyLoadIntegration(
   script.crossOrigin = 'anonymous';
   script.referrerPolicy = 'origin';
   if (scriptNonce) {
-    script.nonce = scriptNonce;
+    script.setAttribute('nonce', scriptNonce);
   }
 
   const waitForLoad = new Promise<void>((resolve, reject) => {

From 9f1b5c8562cb3b2eacf4098d36a664d85830fa9e Mon Sep 17 00:00:00 2001
From: Charly Gomez <charly.gomez@sentry.io>
Date: Tue, 13 Aug 2024 13:16:42 +0200
Subject: [PATCH 6/7] test: update feeedback browser integration test

---
 .../{csp-nonce => captureFeedbackCsp}/init.js |  6 +-
 .../feedback/captureFeedbackCsp/template.html | 13 +++++
 .../{csp-nonce => captureFeedbackCsp}/test.ts | 55 ++++---------------
 .../suites/feedback/csp-nonce/template.html   | 10 ----
 4 files changed, 26 insertions(+), 58 deletions(-)
 rename dev-packages/browser-integration-tests/suites/feedback/{csp-nonce => captureFeedbackCsp}/init.js (77%)
 create mode 100644 dev-packages/browser-integration-tests/suites/feedback/captureFeedbackCsp/template.html
 rename dev-packages/browser-integration-tests/suites/feedback/{csp-nonce => captureFeedbackCsp}/test.ts (56%)
 delete mode 100644 dev-packages/browser-integration-tests/suites/feedback/csp-nonce/template.html

diff --git a/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/init.js b/dev-packages/browser-integration-tests/suites/feedback/captureFeedbackCsp/init.js
similarity index 77%
rename from dev-packages/browser-integration-tests/suites/feedback/csp-nonce/init.js
rename to dev-packages/browser-integration-tests/suites/feedback/captureFeedbackCsp/init.js
index 576e213e8de9..067dbec23fd4 100644
--- a/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/init.js
+++ b/dev-packages/browser-integration-tests/suites/feedback/captureFeedbackCsp/init.js
@@ -6,9 +6,9 @@ window.Sentry = Sentry;
 
 Sentry.init({
   dsn: 'https://public@dsn.ingest.sentry.io/1337',
-  replaysOnErrorSampleRate: 1.0,
-  replaysSessionSampleRate: 1.0,
-  integrations: [Sentry.replayIntegration(), feedbackIntegration()],
+  integrations: [
+    feedbackIntegration({ tags: { from: 'integration init' }, styleNonce: 'foo1234', scriptNonce: 'foo1234' }),
+  ],
 });
 
 document.addEventListener('securitypolicyviolation', () => {
diff --git a/dev-packages/browser-integration-tests/suites/feedback/captureFeedbackCsp/template.html b/dev-packages/browser-integration-tests/suites/feedback/captureFeedbackCsp/template.html
new file mode 100644
index 000000000000..919f372ef468
--- /dev/null
+++ b/dev-packages/browser-integration-tests/suites/feedback/captureFeedbackCsp/template.html
@@ -0,0 +1,13 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="style-src 'nonce-foo1234'; script-src sentry-test.io 'nonce-foo1234';"
+    />
+  </head>
+  <body>
+    <div id="csp-violation" />
+  </body>
+</html>
diff --git a/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/test.ts b/dev-packages/browser-integration-tests/suites/feedback/captureFeedbackCsp/test.ts
similarity index 56%
rename from dev-packages/browser-integration-tests/suites/feedback/csp-nonce/test.ts
rename to dev-packages/browser-integration-tests/suites/feedback/captureFeedbackCsp/test.ts
index 3f1003d24fa4..95a8a2eacee8 100644
--- a/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/test.ts
+++ b/dev-packages/browser-integration-tests/suites/feedback/captureFeedbackCsp/test.ts
@@ -2,20 +2,12 @@ import { expect } from '@playwright/test';
 
 import { TEST_HOST, sentryTest } from '../../../utils/fixtures';
 import { envelopeRequestParser, getEnvelopeType, shouldSkipFeedbackTest } from '../../../utils/helpers';
-import {
-  collectReplayRequests,
-  getReplayBreadcrumbs,
-  shouldSkipReplayTest,
-  waitForReplayRequest,
-} from '../../../utils/replayHelpers';
 
-sentryTest('should not log CSP errors', async ({ forceFlushReplay, getLocalTestUrl, page }) => {
-  if (shouldSkipFeedbackTest() || shouldSkipReplayTest()) {
+sentryTest('should capture feedback', async ({ getLocalTestUrl, page }) => {
+  if (shouldSkipFeedbackTest()) {
     sentryTest.skip();
   }
 
-  const reqPromise0 = waitForReplayRequest(page, 0);
-
   const feedbackRequestPromise = page.waitForResponse(res => {
     const req = res.request();
 
@@ -41,42 +33,15 @@ sentryTest('should not log CSP errors', async ({ forceFlushReplay, getLocalTestU
 
   const url = await getLocalTestUrl({ testDir: __dirname });
 
-  await Promise.all([page.goto(url), page.getByText('Report a Bug').click(), reqPromise0]);
-
-  const replayRequestPromise = collectReplayRequests(page, recordingEvents => {
-    return getReplayBreadcrumbs(recordingEvents).some(breadcrumb => breadcrumb.category === 'sentry.feedback');
-  });
-
-  // Inputs are slow, these need to be serial
+  await page.goto(url);
+  await page.getByText('Report a Bug').click();
+  expect(await page.locator(':visible:text-is("Report a Bug")').count()).toEqual(1);
   await page.locator('[name="name"]').fill('Jane Doe');
   await page.locator('[name="email"]').fill('janedoe@example.org');
   await page.locator('[name="message"]').fill('my example feedback');
+  await page.locator('[data-sentry-feedback] .btn--primary').click();
 
-  // Force flush here, as inputs are slow and can cause click event to be in unpredictable segments
-  await Promise.all([forceFlushReplay()]);
-
-  const [, feedbackResp] = await Promise.all([
-    page.locator('[data-sentry-feedback] .btn--primary').click(),
-    feedbackRequestPromise,
-  ]);
-
-  const { replayEvents, replayRecordingSnapshots } = await replayRequestPromise;
-  const breadcrumbs = getReplayBreadcrumbs(replayRecordingSnapshots);
-
-  const replayEvent = replayEvents[0];
-  const feedbackEvent = envelopeRequestParser(feedbackResp.request());
-
-  expect(breadcrumbs).toEqual(
-    expect.arrayContaining([
-      expect.objectContaining({
-        category: 'sentry.feedback',
-        data: { feedbackId: expect.any(String) },
-        timestamp: expect.any(Number),
-        type: 'default',
-      }),
-    ]),
-  );
-
+  const feedbackEvent = envelopeRequestParser((await feedbackRequestPromise).request());
   expect(feedbackEvent).toEqual({
     type: 'feedback',
     breadcrumbs: expect.any(Array),
@@ -85,7 +50,6 @@ sentryTest('should not log CSP errors', async ({ forceFlushReplay, getLocalTestU
         contact_email: 'janedoe@example.org',
         message: 'my example feedback',
         name: 'Jane Doe',
-        replay_id: replayEvent.event_id,
         source: 'widget',
         url: `${TEST_HOST}/index.html`,
       },
@@ -95,7 +59,9 @@ sentryTest('should not log CSP errors', async ({ forceFlushReplay, getLocalTestU
       },
     },
     level: 'info',
-    tags: {},
+    tags: {
+      from: 'integration init',
+    },
     timestamp: expect.any(Number),
     event_id: expect.stringMatching(/\w{32}/),
     environment: 'production',
@@ -113,7 +79,6 @@ sentryTest('should not log CSP errors', async ({ forceFlushReplay, getLocalTestU
     },
     platform: 'javascript',
   });
-
   const cspContainer = await page.locator('#csp-violation');
   expect(cspContainer).not.toContainText('CSP Violation');
 });
diff --git a/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/template.html b/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/template.html
deleted file mode 100644
index 842369a489f8..000000000000
--- a/dev-packages/browser-integration-tests/suites/feedback/csp-nonce/template.html
+++ /dev/null
@@ -1,10 +0,0 @@
-<!doctype html>
-<html>
-  <head>
-    <meta charset="utf-8" />
-    <meta http-equiv="Content-Security-Policy" content="style-src 'nonce-foo1234';" />
-  </head>
-  <body>
-    <div id="csp-violation" />
-  </body>
-</html>

From 8603296e7e2dde755d8dfbcd2baf4cd333b34f44 Mon Sep 17 00:00:00 2001
From: Charly Gomez <charly.gomez@sentry.io>
Date: Tue, 13 Aug 2024 13:17:36 +0200
Subject: [PATCH 7/7] feat: add script nonce for async integration

---
 packages/browser/src/utils/lazyLoadIntegration.ts | 1 +
 packages/feedback/src/core/integration.ts         | 9 +++++++--
 packages/types/src/feedback/config.ts             | 5 +++++
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/packages/browser/src/utils/lazyLoadIntegration.ts b/packages/browser/src/utils/lazyLoadIntegration.ts
index 33720541165b..8c76cf9481dc 100644
--- a/packages/browser/src/utils/lazyLoadIntegration.ts
+++ b/packages/browser/src/utils/lazyLoadIntegration.ts
@@ -55,6 +55,7 @@ export async function lazyLoadIntegration(
   script.src = url;
   script.crossOrigin = 'anonymous';
   script.referrerPolicy = 'origin';
+
   if (scriptNonce) {
     script.setAttribute('nonce', scriptNonce);
   }
diff --git a/packages/feedback/src/core/integration.ts b/packages/feedback/src/core/integration.ts
index 7a94ce6ea2d7..c72b28b1d04b 100644
--- a/packages/feedback/src/core/integration.ts
+++ b/packages/feedback/src/core/integration.ts
@@ -43,7 +43,10 @@ type Unsubscribe = () => void;
 interface BuilderOptions {
   // The type here should be `keyof typeof LazyLoadableIntegrations`, but that'll cause a cicrular
   // dependency with @sentry/core
-  lazyLoadIntegration: (name: 'feedbackModalIntegration' | 'feedbackScreenshotIntegration') => Promise<IntegrationFn>;
+  lazyLoadIntegration: (
+    name: 'feedbackModalIntegration' | 'feedbackScreenshotIntegration',
+    scriptNonce?: string,
+  ) => Promise<IntegrationFn>;
   getModalIntegration?: null | (() => IntegrationFn);
   getScreenshotIntegration?: null | (() => IntegrationFn);
 }
@@ -78,6 +81,7 @@ export const buildFeedbackIntegration = ({
     },
     tags,
     styleNonce,
+    scriptNonce,
 
     // FeedbackThemeConfiguration
     colorScheme = 'system',
@@ -121,6 +125,7 @@ export const buildFeedbackIntegration = ({
       useSentryUser,
       tags,
       styleNonce,
+      scriptNonce,
 
       colorScheme,
       themeDark,
@@ -178,7 +183,7 @@ export const buildFeedbackIntegration = ({
       if (existing) {
         return existing as I;
       }
-      const integrationFn = (getter && getter()) || (await lazyLoadIntegration(functionMethodName));
+      const integrationFn = (getter && getter()) || (await lazyLoadIntegration(functionMethodName, scriptNonce));
       const integration = integrationFn();
       client && client.addIntegration(integration);
       return integration as I;
diff --git a/packages/types/src/feedback/config.ts b/packages/types/src/feedback/config.ts
index 8c0106efb0ad..0b9548b5712e 100644
--- a/packages/types/src/feedback/config.ts
+++ b/packages/types/src/feedback/config.ts
@@ -66,6 +66,11 @@ export interface FeedbackGeneralConfiguration {
    * Set a nonce to be passed to the injected <style> tag for enforcing CSP
    */
   styleNonce?: string;
+
+  /**
+   * Set a nonce to be passed to the injected <script> tag for enforcing CSP
+   */
+  scriptNonce?: string;
 }
 
 /**