Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(runtime): support for CSP nonces #3823
feat(runtime): support for CSP nonces #3823
Changes from all commits
2c79743
81b099a
2af9abc
9b2eeea
545f359
ea0db1b
ee06584
70b0fab
c6f9a01
7891b60
93dfedd
0d9ffbd
56a673f
c3a8da8
7d6d684
810c30f
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a format that a nonce should be in? I don't see any guidance in the JSDoc as to what I should pass in if I'm a user and looking at the documentation provided by my IDE 🤔
I wonder if there's anything we should do from a type perspective to enforce a certain format 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can definitely link out to guidelines around nonce generation, but it didn't seem like Stencil's responsibility to enforce a "correct" nonce. I found these guidelines on one of the pages I was using for reference during development/testing:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, perhaps this lives in the documentation to point to best practices around using a nonce
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a guide drafted up that will go on our docs. I'll add a section for this topic and link out to that resource I was using. I'll get a PR up for that tomorrow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is probably going to be covered by the docs, but is the assumption that users will have to change the nonce server-side for every request that's served?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorta. I'm not sure the best way to phrase it, but the idea is that a nonce should be unique "per page view". So, for SPA like an Angular app, you can just generate a nonce at initial bootstrap and use that for the page's lifetime