Content Security Policy Nonce Support #167
Comments
gpa-bblackman
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
gpa-bblackman
changed the title
CSP: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
NONCE: https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/
Add Nonce Support: Add additional argument support in helper function insertCSS to allows developer to pass unique Nonce value that gets added as an attribute to the <style> tag prior to being appended or prepended to the DOM (ie., document.head.appendChild(elem); or document.head.insertBefore(elem, document.head.childNodes[0]))
Nonce Addition:
elem.setAttribute('nonce', nonce);It is up to each developer to implement CSP style-scr Nonce and expose unique-per-request Nonce to the client by creating Head inline script:
<script nonce='yourdynamicnoncehere'>window.MY_NONCE = 'yourdynamicnoncehere' </script>.The developer would then pass the window object Nonce property value to insertCSS.
styles.map(style => style._insertCss({nonce: window.MY_NONCE}))insertCSS helper function could simply have a check for Nonce arg:
The text was updated successfully, but these errors were encountered: