csp_nonce() is empty

[miquelvir]

Hi, I might be doing something really stupid but I can't find much documentation or examples, other than the main page on GitHub and the example about CSP.

My issue is that csp_nonce() is evaluating to an empty string. What am I doing wrong?

I include the relevant parts of my code (it is a much bigger project so I am trying to post only relevant parts, but if you need anything more, please let me know).

<!doctype html>
<html lang="en">
<head>
    [...]
    <link href="/static/css/main.68b8b5e7.chunk.css" rel="stylesheet">
</head>
<body>
<noscript>You need to enable JavaScript to run this app.</noscript>
<div id="root"></div>
<script>[...] </script>
<script src="/static/js/2.389a3736.chunk.js" nonce="{{ csp_nonce() }}"></script>
<script src="/static/js/main.f39b6155.chunk.js" nonce="{{ csp_nonce() }}"></script>
</body>
</html>

While the CSP header does contain the nonce:

Content-Security-Policy | style-src 'self' https://fonts.googleapis.com 'nonce-XleICcqjjVeXsgKoEn6gLA'; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'nonce-XleICcqjjVeXsgKoEn6gLA'

Flask app:

man = Talisman()
man.init_app(app, content_security_policy={
            "style-src": ["\'self\'", 'https://fonts.googleapis.com'],
            "font-src": ["\'self\'", 'https://fonts.gstatic.com'],
            "img-src": "'self' data:",
            "script-src":  ["\'self\'"],
        }, content_security_policy_nonce_in=['script-src', 'style-src']) 

@app.route('/')
def index():
       return render_template('index.html')

Page in the browser (notice how the nonce is empty):

<html lang="en">
<head>
    <link href="/static/css/main.68b8b5e7.chunk.css" rel="stylesheet">
<style data-jss="" data-meta="MuiGrid" nonce=""> [...]</style>
<style data-jss="" data-meta="MuiBox" nonce=""></style>
<style data-jss="" data-meta="MuiBox" nonce=""></style>
<style data-jss="" data-meta="makeStyles" nonce="">[...]</style>
</head>
<body>
<div id="root"></div>
<script nonce="">[...]</script>
<script src="/static/js/2.389a3736.chunk.js" nonce=""></script>
<script src="/static/js/main.f39b6155.chunk.js" nonce=""></script>
</body></html>

[WardBenjamin]

I just ran into this issue as well. My other Jinja2 directives are correctly being evaluated at template render time.

[WardBenjamin]

The behavior here is... really odd.

I've verified that Flask-Talisman is properly generating a nonce upon request in _make_nonce, and it renders properly when using a template string.

rendered_template = flask.render_template_string(
    '<script nonce="{{csp_nonce()}}"></script>'
)

However, even within the same route as the call to render_template_string, and copy-pasting the same exact string into the template, the rendered HTML doesn't contain a nonce:

<script nonce=""></script>

Here's my dependency versions:

certifi==2020.12.5
chardet==4.0.0
click==7.1.2
Flask==1.1.2
Flask-Admin==1.5.7
Flask-SQLAlchemy==2.4.4
flask-talisman==0.7.0
Flask-WTF==0.14.3
idna==2.10
itsdangerous==1.1.0
Jinja2==2.11.2
MarkupSafe==1.1.1
plaid-python==7.2.0
pycparser==2.20
python-dotenv==0.15.0
pythonnet==2.5.1
pywebview==3.4
requests==2.25.1
six==1.15.0
SQLAlchemy==1.3.22
urllib3==1.26.2
Werkzeug==1.0.1
WTForms==2.3.3

[WardBenjamin]

Further inspection of the HTML output shows that it's the browser that strips out the nonce. If you inspect the HTML before it hits the browser, the nonce shows up just fine.

<script nonce="uaWC_w0IGf4LlWnB">

It looks like this might be working for me now, after inspecting the CSP policy further the nonce appears to be included:

default-src 'self'; 
script-src 'self' https://cdn.plaid.com https://code.jquery.com 'nonce-2lU4ltvOUu09tGhu'; 

[miquelvir]

I've verified that Flask-Talisman is properly generating a nonce upon request in _make_nonce, and it renders properly when using a template string.

Verified as well!

[miquelvir]

https://stackoverflow.com/a/55673767/9415337