Dynamic CSP Nonce Support

[srikrsna]

Hi

Great work. Thanks for this awesome middleware.

Can I send a PR for adding dynamic CSP nonce?

Proposed Implementation would extend the current solution without breaking anything

Now
ContentSecurityPolicy: "script-src 'self'"

Proposed Solution

ContentSecurityPolicy: "script-src 'self' {{ . }}"

Will use Go's template/text package to change this to to a fmt string i.e. script-src 'self' 'nonce-%s' then use this to send headers on every request with a unique nonce for each request.

Add a new Nonce(r *http.Request) function globally to get the nonce for the present request which can be later used to add nonce to scripts like,

<script nonce="2726c7f26c"> var inline = 1; </script>

There can also a nonce length property.

[unrolled]

Yes! I think that would be a good addition. I would suggest adding a new setting parameter that is disabled (false) by default.

[eKristensen]

I am very new to Go, so this might be a stupid question. But I'm totally stuck.

I see the Nonce function that this issue talks about has been removed again. I have a script in a template where i would like to add a nonce, however I'm completely unable to pass the nonce value to the template. I don't know what variable name i would place in the template. I see the tests uses some w.Write([]byte(CSPNonce(r.Context()))), however I dont know how to combine that with gorilla/mux that i have now. If i ass {{$NONCE}} in the template go does not compile. {{.nonce}} does not work either. Even then i'm not actually sure what CSPNonce does. How does it know where to inject the nonce?

It sets the header just fine. and the router.Use(secureMiddleware.Handler) works just fine. My issue is that i don't know how to get the nonce into the template :/

I use template.Must to save the template to a global variable that i then use when i need to render a page.

Can anybody help, please? Thank you so much in advance!

Edit: managed to get a "fix". This is is how i do:

func GetIndex(w http.ResponseWriter, r *http.Request) {
template.Execute(w, map[string]interface{}{
"nonce": secure.CSPNonce(r.Context()),
})
}

I use secure.CSPNonce(r.Context()) to get the nonce, and then i can use {{.nonce}} in my template. Is this the intended way to do it?

[unrolled]

@eKristensen Yes! Using secure.CSPNonce(r.Context()) is the ideal way to surface the nonce.