Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow nonce to be provided in DOM node #4558

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Allow nonce to be provided in DOM node #4558

wants to merge 1 commit into from

Conversation

Psvensso
Copy link

Allowing inline script execution is probably an even worse idea than inline styles.
So to use a global script example like is probably not the nicest approach.

<script>
 window.litNonce = 'abc123';
</script>

Suggest to support the nonce via a DOM element instead.
https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce#accessing_nonces_and_nonce_hiding

This PR add the abbility to create a style or script tag with your nonce code and keeps the global litNonce as fallback.

@google-cla Google CLA
Copy link

google-cla bot commented Feb 22, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Feb 22, 2024

⚠️ No Changeset found

Latest commit: e708b27

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions GitHub Actions
Copy link
Contributor

📊 Tachometer Benchmark Results

Summary

A summary of the benchmark results will show here once they finish.

Results

The full results of your benchmarks will show here once they finish.

tachometer-reporter-action v2 for Benchmarks

@Psvensso
Copy link
Author

This PR does NOT contain
Tests
Updated doc.

It was created as a discussion point,
if you think this is a valid approach i can update the PR to include tests and docs for a complete PR.

@justinfagnani
Copy link
Collaborator

Allowing inline script execution is probably an even worse idea than inline styles.

The idea is that the page can control the execution of that script with a nonce itself. Most pages with CSP will be disallowing inline script.

Reading a nonce off a style tag in the shadow root won't work because that's where we're trying to write the nonce to. We need a place outside of the shadow root to read the nonce from. Reading from another script or style tag isn't correct either, because that nonce attribute is for the specific tag it lives on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kevinpschaaf kevinpschaaf Awaiting requested review from kevinpschaaf kevinpschaaf is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Psvensso @justinfagnani