Contrib.social

Allow script / style by nonce

Open on Drupal.org →
Created on 9 October 2019, over 5 years ago
Updated 22 September 2023, over 1 year ago

This article outlines some advantages of using nonces to allow external scripts: https://scotthelme.co.uk/csp-nonces-the-easy-way-with-cloudflare-workers/.

  • Allowing a CDN domain (e.g. cdnjs.com) allows any library available on the cdn, including older (potentially insecure) versions
  • A single nonce can allow multiple scripts across external domains, shortening the policy header

Though the article uses Cloudflare Workers to isolate nonce generation from the application, having Drupal generate the nonce would have the same effect.

TODO

  • Some way to specify scripts that should use a nonce instead of being allowed by domain
  • Generate nonce value and add attribute to relevant elements

----

I previously assumed that each request required a new nonce so would be incompatible with page caching, but if I understand correctly a nonce must only be unique each time a page is generated.

Feature request
Status

Postponed

Version

1.0

Component

Code

Created by

🇨🇦Canada gapple

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago
    🇨🇦Canada gapple

    Since report-only and enforced policies are separate objects, the page nonce will need to be generated & statically cached in a separate service so that it is consistent between them if both policies are added to a response.

  • Comment over 1 year ago
    🇨🇦Canada gapple
    • Add nonce service Fixed added a nonce service so that a single nonce value can be used for each request by any module.
    • Expose nonce for javascript libraries Needs review will expose the nonce to libraries if needed - e.g. to propagate the nonce to dynamically inserted scripts
    • Enable conditional/alternate directive values Active will allow modules to specify domains that can be omitted from a directive if a nonce can be applied to the page, or safely fall back to domains if another module relies on 'unsafe-inline'
  • Comment over 1 year ago
    🇧🇪Belgium dieterholvoet Brussels

    I previously assumed that each request required a new nonce so would be incompatible with page caching, but if I understand correctly a nonce must only be unique each time a page is generated.

    Caching nonces is usually not a problem, but it's not 100% safe either. See the explanation at https://serverfault.com/a/1064775. Maybe you could add a disclaimer somewhere in the module description, or on the FAQ page in the documentation?

  • Status changed to Active about 2 months ago
  • Comment about 2 months ago
    🇦🇺Australia mstrelan

    Since we have nonce support now this should no longer be postponed. Please change it back if I'm wrong. I'm interested to see if we can add the nonce to all external scripts that are loaded by libraries and therefore allow strict-dynamic

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024