feat(csp): added support for nonce #130
Conversation
|
Thanks for your PR. I'm not really familiar with CSP and reading the docs did not make it clear what problem this is meant to solve (it also mentions using a hash should be preferred for static content, but I can't tell until I understand the problem). Do you mind explaining why we need this? |
|
@andreaswilli yes, so if you have a web app where you are using 3rd party libraries with CSP you can prevent vulnerabilities and explicitly list from which domain app can inject css/js, since here you are injecting inline CSS without the ability to carry on nonce this is in conflict with CSP policy and it will complain, the solution is to allow to have nonce as an optional parameter and then when injecting to inject nonce, basically user who use your script will pass proper nonce and your code will just inject it in line, another way around would be to make script injectable to some container but IMHO this is a bit cleaner. |
|
Thanks. I think I need to learn a bit more about CSP. |
|
@andreaswilli great starting point here https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP please let me know do you plan to add this soon if not I'm afraid will need to find another solution for my project, thanks 🙏 |
|
I'll look into it. Maybe I'll be quick, maybe it'll take a while but can't promise anything, sorry. |
this way CSP could be satisfied and nonce passed to inline styles