Make Content Security Policy (CSP) nonce available in template.html #1248
Comments
martinburger
changed the title
|
This has been added in 0.28.9. |
|
I've upgraded and want to use it. I've two script tags in my template.html, the first one gets the nounce, but not the second one... output from chrome devtools below: Here's my template html.html snippet with two times <script src="https://www.gstatic.com/firebasejs/7.21.1/firebase-app.js"></script>
<script src="https://www.gstatic.com/firebasejs/7.21.1/firebase-auth.js"></script>
<script src="https://www.gstatic.com/firebasejs/7.21.1/firebase-firestore.js"></script>
<script src="https://www.gstatic.com/firebasejs/7.21.1/firebase-storage.js"></script>
<script src="https://www.gstatic.com/firebasejs/7.21.1/firebase-messaging.js"></script>
<script src="https://www.gstatic.com/firebasejs/7.21.1/firebase-performance.js"></script>
<script src="https://www.gstatic.com/firebasejs/7.21.1/firebase-analytics.js"></script>
<script nonce="%sapper.cspnonce%" src="./firebase-init.js"></script>
<script src="https://cdn.jsdelivr.net/npm/gun@0.2020.520/gun.js"></script>
<script src="https://cdn.jsdelivr.net/npm/gun@0.2020.520/nts.js"></script>
<script src="https://cdn.jsdelivr.net/npm/gun@0.2020.520/sea.js"></script>
<script src="https://cdn.jsdelivr.net/npm/gun@0.2020.520/lib/radix.js"></script>
<script src="https://cdn.jsdelivr.net/npm/gun@0.2020.520/lib/radisk.js"></script>
<script src="https://cdn.jsdelivr.net/npm/gun@0.2020.520/lib/store.js"></script>
<script src="https://cdn.jsdelivr.net/npm/gun@0.2020.520/lib/rindexed.js"></script>
<script src="https://cdn.jsdelivr.net/npm/gun@0.2020.520/lib/then.js"></script>
<script src="https://cdn.jsdelivr.net/npm/gun@0.2020.520/lib/webrtc.js"></script>
<script nonce="%sapper.cspnonce%" src="./gun-init.js"></script>And here the snippet from my const helmetMiddleware = ( request, response, next ) => {
helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
connectSrc: [ 'api.stripe.com', 'hooks.stripe.com' ],
frameSrc: [ 'js.stripe.com', 'hooks.stripe.com' ],
imgSrc: [ '*.stripe.com' ],
scriptSrc: [ "'self'", 'js.stripe.com', ( request, response ) => `'nonce-${ response.locals.nonce }'` ],
},
browserSniff: false,
},
})
}Seems the first appearance of @martinburger also, if I understand correctly I could get rid of the |
|
@evdama I am quite sure it is only getting replaced once because The code should look something like this imo: Regarding the |
|
I've filed a bug to track that issue: #1565. If anyone wants to send a PR for it I will help review it |
Is your feature request related to a problem? Please describe.
I would like to use Content Security Policy (CSP) nonces in
template.html. For instance:That way, I would not have to include
'self'inscript-srcanymore. According to Google's CSP Evaluator, "'self' can be problematic if you host JSONP, Angular or user uploaded files."Describe the solution you'd like
I would like to use something like
%sapper.cspnonce%in mytemplate.htmlfile:Sapper would replace
%sapper.cspnonce%with the value ofres.locals.nonce, if any.Describe alternatives you've considered
I could not find any way to include the nonce injected via
res.locals = { nonce: uuidv4() }inserver.js.How important is this feature to you?
I would like to maximize security for the users of my Sapper app.
Additional context
See Content Security Policy (CSP) in the Sapper documentation for more details on that approach.
The text was updated successfully, but these errors were encountered: