- π¨π¦Canada gapple
Since report-only and enforced policies are separate objects, the page nonce will need to be generated & statically cached in a separate service so that it is consistent between them if both policies are added to a response.
- π¨π¦Canada gapple
- β¨ Add nonce service Fixed added a nonce service so that a single nonce value can be used for each request by any module.
- β¨ Expose nonce for javascript libraries Needs review will expose the nonce to libraries if needed - e.g. to propagate the nonce to dynamically inserted scripts
-
β¨
Enable conditional/alternate directive values
Active
will allow modules to specify domains that can be omitted from a directive if a nonce can be applied to the page, or safely fall back to domains if another module relies on
'unsafe-inline'
- π§πͺBelgium DieterHolvoet Brussels
I previously assumed that each request required a new nonce so would be incompatible with page caching, but if I understand correctly a nonce must only be unique each time a page is generated.
Caching nonces is usually not a problem, but it's not 100% safe either. See the explanation at https://serverfault.com/a/1064775. Maybe you could add a disclaimer somewhere in the module description, or on the FAQ page in the documentation?