@@ -85,6 +85,41 @@ the various Link options and the
8585| ` onEvent ` | ` (eventName: PlaidLinkStableEvent \| string, metadata: PlaidLinkOnEventMetadata) => void ` |
8686| ` onLoad ` | ` () => void ` |
8787| ` receivedRedirectUri ` | ` string \| null \| undefined ` |
88+ | ` cspNonce ` | ` string \| undefined ` |
89+
90+ #### Content Security Policy nonce
91+
92+ If your app uses a nonce-based Content Security Policy, generate a fresh nonce
93+ per page response and pass it as ` cspNonce `
94+ on ` usePlaidLink ` or ` PlaidEmbeddedLink ` . Only mount these components once
95+ ` cspNonce ` is known.
96+
97+ Allow that nonce in ` script-src ` , ` style-src ` , and ` style-src-elem ` . Link still
98+ requires ` style-src-attr 'unsafe-inline' ` today. You will also need ` frame-src ` and ` connect-src ` as
99+ [ documented for Link Web] ( https://plaid.com/docs/link/web/#csp-guidance ) ; for
100+ example:
101+
102+ ``` html
103+ default-src https://cdn.plaid.com/;
104+ script-src 'nonce-<PAGE _RESPONSE_NONCE >' https://cdn.plaid.com/link/v2/stable/link-initialize.js;
105+ style-src 'nonce-<PAGE _RESPONSE_NONCE >';
106+ style-src-elem 'nonce-<PAGE _RESPONSE_NONCE >';
107+ style-src-attr 'unsafe-inline';
108+ frame-src https://cdn.plaid.com/;
109+ connect-src https://production.plaid.com/;
110+ ```
111+
112+ If you omit ` cspNonce ` , behavior is unchanged (including for embedded Link).
113+
114+ ``` tsx
115+ const { open, ready } = usePlaidLink ({
116+ token: ' <GENERATED_LINK_TOKEN>' ,
117+ cspNonce: ' <PER_RESPONSE_NONCE>' ,
118+ onSuccess : (public_token , metadata ) => {
119+ // send public_token to server
120+ },
121+ });
122+ ```
88123
89124#### ` usePlaidLink ` return value
90125
0 commit comments