- 🇨🇦Canada gapple
Since report-only and enforced policies are separate objects, the page nonce will need to be generated & statically cached in a separate service so that it is consistent between them if both policies are added to a response.
- 🇨🇦Canada gapple
- ✨ Add nonce service Fixed added a nonce service so that a single nonce value can be used for each request by any module.
- ✨ Expose nonce for javascript libraries Needs review will expose the nonce to libraries if needed - e.g. to propagate the nonce to dynamically inserted scripts
-
✨
Enable conditional/alternate directive values
Active
will allow modules to specify domains that can be omitted from a directive if a nonce can be applied to the page, or safely fall back to domains if another module relies on
'unsafe-inline'
- 🇧🇪Belgium dieterholvoet Brussels
I previously assumed that each request required a new nonce so would be incompatible with page caching, but if I understand correctly a nonce must only be unique each time a page is generated.
Caching nonces is usually not a problem, but it's not 100% safe either. See the explanation at https://serverfault.com/a/1064775. Maybe you could add a disclaimer somewhere in the module description, or on the FAQ page in the documentation?
- Status changed to Active
6 months ago 5:10am 15 January 2025 - 🇦🇺Australia mstrelan
Since we have nonce support now this should no longer be postponed. Please change it back if I'm wrong. I'm interested to see if we can add the nonce to all external scripts that are loaded by libraries and therefore allow strict-dynamic
- 🇬🇧United Kingdom john.glynn.davies
Hi,
I just implementing using nonces on our site to allow scripts, but I'm having an issue where the nonce remains the same on subsequent page loads, so it appears to be getting cached somewhere.
I noticed your comment above suggests this might be by design but that doesn't seem to marry up with MDN docs on the subject.
I previously assumed that each request required a new nonce so would be incompatible with page caching, but if I understand correctly a nonce must only be unique each time a page is generated.
FROM MDN: For this approach to work, it must not be possible for an attacker to guess the nonce.
In practice this means that the nonce must be different for every HTTP response, and must not be predictable.
This in turn means that the server cannot serve static HTML, because it must insert a new nonce each time.
If the nonce is cached and the same on repeated visits, it becomes accessible for an attacker to make use of it, no?
Hopefully I've just made a setup error of some kind?
Thanks