[4] Feature. Plugin HTTP Header. Make csp_nonce available for JS.

[ReLater]

@zero-24

Is your feature request related to a problem? Please describe.

• A JavaScript adds or changes a <style> block dynamically on any window resize. The <style> gets appended to the <HEAD>.
• The CSS is blocked by the CSP header if style-src-nonces are activated in HTTP Header plugin.
• Therefore one have to add the nonce="..." attribute to the <style> by JS.

Describe the solution you'd like

• At the moment I use an additional custom system plugin that makes the nonce available via JS by:

public function onAfterDispatch()
{
 // csp_nonce parameter set by HTTP Header plugin in `__construct()`.
 Factory::getDocument()->addScriptOptions('csp_nonce', $this->app->get('csp_nonce', ''));
}

• Then i can get the nonce in JS via:

const nonce = Joomla.getOptions('csp_nonce', '');
let css = document.createElement('style');

if (nonce)
{
 css.setAttribute("nonce", nonce);
}

which works fine for me.

Additional context

• Is it possible to integrate the addScriptOptions() part in the HTTP Header plugin?

Thank you for your attention!

[zero-24]

Hmm I'm not sure whether its a good idea to make the nonce aviable to JS as its the point that the hashes and nonces are generated outside of JS etc.
What about passing the new script via the addscript/addstyle that will generate the hash and nonce?

[ReLater]

I'm not sure whether its a good idea to make the nonce aviable to JS as its the point that the hashes and nonces are generated outside of JS etc.

I don't know. My thought was that the whole source code displays the nonce attributes at several places. So, they could be picked out without any problems by malicious JS, too.

What about passing the new script via the addscript/addstyle that will generate the hash and nonce?

It's a dynamic JS calculation of the height of a container after any window.resize to adapt a scroll target point via CSS. addscript/addstyle are PHP methods. Even if I would find a way to write files dynamically it would mean that I write a file for any guest (different window sizes) and/or I would have to use overheaded AJAX methods.

[zero-24]

I don't know. My thought was that the whole source code displays the nonce attributes at several places. So, they could be picked out without any problems by malicious JS, too.

Its even hidden in the source code editor / browser console.

It's a dynamic JS calculation of the height of a container after any window.resize to adapt a scroll target point via CSS. addscript/addstyle are PHP methods. Even if I would find a way to write files dynamically it would mean that I write a file for any guest (different window sizes) and/or I would have to use overheaded AJAX methods.

yes there is also an inline JS/CSS methods that dont require written files.

[ReLater]

yes there is also an inline JS/CSS methods that dont require written files.

Ja, aber auch PHP. Das löst das Problem nicht.