New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
csp_nonce() is empty #69
Comments
I just ran into this issue as well. My other Jinja2 directives are correctly being evaluated at template render time. |
The behavior here is... really odd. I've verified that Flask-Talisman is properly generating a nonce upon request in _make_nonce, and it renders properly when using a template string. rendered_template = flask.render_template_string(
'<script nonce="{{csp_nonce()}}"></script>'
) However, even within the same route as the call to <script nonce=""></script> Here's my dependency versions:
|
Further inspection of the HTML output shows that it's the browser that strips out the nonce. If you inspect the HTML before it hits the browser, the nonce shows up just fine. <script nonce="uaWC_w0IGf4LlWnB"> It looks like this might be working for me now, after inspecting the CSP policy further the nonce appears to be included:
|
Verified as well! |
Hi, I might be doing something really stupid but I can't find much documentation or examples, other than the main page on GitHub and the example about CSP.
My issue is that csp_nonce() is evaluating to an empty string. What am I doing wrong?
I include the relevant parts of my code (it is a much bigger project so I am trying to post only relevant parts, but if you need anything more, please let me know).
While the CSP header does contain the nonce:
Content-Security-Policy | style-src 'self' https://fonts.googleapis.com 'nonce-XleICcqjjVeXsgKoEn6gLA'; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'nonce-XleICcqjjVeXsgKoEn6gLA'
Flask app:
Page in the browser (notice how the nonce is empty):
The text was updated successfully, but these errors were encountered: