This way, one does not have to do
Is there a reason this can't just default to
Why do I have specifically to pass
If you are using a strict CSP (and you should be), it seems like you would want a nonce added to every
But it is all too easy to forget to manually add
And since it only adds an automatic nonce value if you have Content Security Policy enabled, I would think it would be a safe default.
So my question is, why wouldn't you want it to always add the nonce?
To that end, I've been overriding
(If for some reason you ever didn't want a nonce somewhere, you could still override by passing
Generally it's a good idea to have defaults that are secure and setting
Are you linking to a lot of external JS from a variety of domains? If so a more secure option would be to use Subresource Integrity than blindly adding a nonce value.