-
-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add cspNonce option to add a nonce attribute to the <script> #47
Conversation
@rwjblue could you have a look, please? :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I'm not sure about this. A nonce is supposed to be regenerated with each request but this implementation uses a single static nonce (AFAICT).
Wouldn't a hash be a better solution? I think we can easily compute the hash to include based on the content we actually send...
@sandstrom (sorry to pester), do you have thoughts on this?
@eturino @rwjblue I see two alternatives here:
I think the second alternative is much better! (but it's slightly more complicated) More details here: rwjblue/ember-cli-content-security-policy#67 I also agree with @rwjblue that a static nonce is a bad idea. The standard is pretty clear on using a dynamic nonce (generated for each http request). |
I intended this only for development, to be honest. To be honest, I have no experience building addons, so I have no idea if we could make this environment dependent.
|
For your own fork the code in this PR works well, so feel free to use it for local development! However, due to the aforementioned reasons (my and rwjblues comments) I'm not sure it's a good idea to merge this PR in its current state, even if the code was restricted to development only (like you suggest). |
fair enough :) |
@eturino I still agree with you that CSP nonce support would be great (I want it myself), but I think it's better to make something that'll work for both production and development. For that, rwjblue/ember-cli-content-security-policy#67 is probably a good way to start. If you want to dig in I'm happy to provide some pointers on where to start! 😄 |
for CSP compliance options.
This will allow using strict CSP in development using
script-dynamic
and a nonce.