-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Content Security Policy Nonce Support #167
Comments
gpa-bblackman
changed the title
Content Security Policy
Content Security Policy Nonce Support
Aug 14, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CSP: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
NONCE: https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/
Add Nonce Support: Add additional argument support in helper function insertCSS to allows developer to pass unique Nonce value that gets added as an attribute to the <style> tag prior to being appended or prepended to the DOM (ie., document.head.appendChild(elem); or document.head.insertBefore(elem, document.head.childNodes[0]))
Nonce Addition:
elem.setAttribute('nonce', nonce);
It is up to each developer to implement CSP style-scr Nonce and expose unique-per-request Nonce to the client by creating Head inline script:
<script nonce='yourdynamicnoncehere'>window.MY_NONCE = 'yourdynamicnoncehere' </script>
.The developer would then pass the window object Nonce property value to insertCSS.
styles.map(style => style._insertCss({nonce: window.MY_NONCE}))
insertCSS helper function could simply have a check for Nonce arg:
The text was updated successfully, but these errors were encountered: