-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[4] Feature. Plugin HTTP Header. Make csp_nonce available for JS. #38096
Comments
Hmm I'm not sure whether its a good idea to make the nonce aviable to JS as its the point that the hashes and nonces are generated outside of JS etc. |
I don't know. My thought was that the whole source code displays the nonce attributes at several places. So, they could be picked out without any problems by malicious JS, too.
It's a dynamic JS calculation of the height of a container after any window.resize to adapt a scroll target point via CSS. addscript/addstyle are PHP methods. Even if I would find a way to write files dynamically it would mean that I write a file for any guest (different window sizes) and/or I would have to use overheaded AJAX methods. |
Its even hidden in the source code editor / browser console.
yes there is also an inline JS/CSS methods that dont require written files. |
Ja, aber auch PHP. Das löst das Problem nicht. |
@zero-24
Is your feature request related to a problem? Please describe.
<style>
block dynamically on any window resize. The<style>
gets appended to the<HEAD>
.style-src
-nonces are activated in HTTP Header plugin.nonce="..."
attribute to the<style>
by JS.Describe the solution you'd like
which works fine for me.
Additional context
addScriptOptions()
part in the HTTP Header plugin?Thank you for your attention!
The text was updated successfully, but these errors were encountered: