Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use nonce attribute for all scripts and preloads if provided #4539

Merged
merged 4 commits into from
Jun 28, 2018
Merged

Use nonce attribute for all scripts and preloads if provided #4539

merged 4 commits into from
Jun 28, 2018

Conversation

novascreen
Copy link
Contributor

When implementing a strict CSP with nonces and strict-dynamic, every script and preload requires a nonce.

https://csp.withgoogle.com/docs/strict-csp.html

@novascreen
Use nonce attribute for all scripts and preloads if provided
48297d7 
When implementing a strict CSP with nonces and strict-dynamic every script and preload requires a nonce.
@novascreen
Merge branch 'canary' into strict-csp-nonces
0a2b206
@vinaypuppal vinaypuppal mentioned this pull request Jun 15, 2018
Closed
@jlecomte
Copy link

LGTM. Can we get this in soon? Because of this bug, I currently have to add unsafe-inline to the script-src section of my CSP policy, which makes the entire policy somewhat useless... Thanks!

timneutkens
timneutkens requested changes Jun 26, 2018
View reviewed changes
Copy link
Member

@timneutkens timneutkens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a test for this in test/integration/app-document?

@novascreen
Copy link
Contributor Author

@timneutkens i added a test, i believe it tests all instances except for the dynamic chunks, not sure how to test those inside of the app-document test suite

@timneutkens
Copy link
Member

@novascreen that's fine, no worries 👍

@timneutkens timneutkens merged commit 1c817d2 into vercel:canary Jun 28, 2018
@joaovieira
Copy link

joaovieira commented Jun 29, 2018
edited
Loading

This is great. But there is no documentation at all on using nonces. Example in the docs would be much appreciated. Thanks.

E.g. https://github.com/helmetjs/csp#generating-nonces

@novascreen novascreen mentioned this pull request Jul 28, 2018
Merged
@novascreen
Copy link
Contributor Author

@joaovieira there are some details in the README and an example now:
https://github.com/zeit/next.js/tree/canary/examples/with-strict-csp

@novascreen novascreen deleted the strict-csp-nonces branch August 7, 2018 15:16
@lock lock bot locked as resolved and limited conversation to collaborators Aug 7, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jlecomte jlecomte jlecomte approved these changes

@timneutkens timneutkens timneutkens approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@novascreen @jlecomte @timneutkens @joaovieira