Allow to pass nonce option to getBrowserTimingHeader.

[joaovieira]

CHANGE LOG

• Allow to pass nonce to getBrowserTimingHeader()

INTERNAL LINKS

https://discuss.newrelic.com/t/content-security-policy-and-browser-injection/2629/42

NOTES

getBrowserTimingHeader generates an inline script tag. This is generally a bad practice if you want to protect your page with HTTP Content-Security-Policy (CSP) header. In the situations you do require it you should generate and pass a nonce UUID which tells the browser those scripts are allowed to be executed.

This PR adds an option to add a nonce attribute to the generated <script> tag.

Currently we're injecting the nonce in the middle of the returned string header with String.substr() - which is not ideal.

[NatalieWolfe]

Thanks for the contribution, @joaovieira! This looks great, so I'll pull it into our dev repo and make sure it gets released soon.

[NatalieWolfe]

@joaovieira This was released in 4.3.0. Please try it out and let us know if it works! Thanks again for contributing this feature.

[joaovieira]

@NatalieWolfe sorry for the delay. Just tested it and worked perfectly. Thanks for the update!

[ccope]

For others who see this, the nonce header is set on the script tag returned by this function, but that script generates another script tag which loads from New Relic's servers. So you still need to whitelist them in your CSP string.