Expose nonce for javascript libraries

✨ Enable conditional/alternate directive values Active

If a directive includes 'unsafe-inline', modules may need to fall back to adding domains to the directive instead of a nonce (which would disable 'unsafe-inline' for other modules that rely on it. In that case the nonce should possibly not be added to drupalSettings¹

I previously had a concern about exposing the nonce value to JavaScript like this, but since the nonce attribute on any page element is accessible to JavaScript, this does not expose anything not already available to any script via document.querySelector('script[nonce]').nonce.

Any script not conforming to the page's policy (e.g. an inline script element injected into the page which does not contain the correct nonce attribute) will be blocked, but if a bad script is able to bypass the policy (e.g. by being injected with a correct nonce attribute, or from a domain otherwise allowed by the policy), then it could already do significant harm regardless of being able to propagate the nonce to additional harmful scripts¹.

See https://github.com/w3c/webappsec-csp/issues/458

Note that browser dev tools will hide the nonce attribute's value when inspecting script elements, but it is still available to any scripts run on the page or in the console.

Note for module maintainers: you can add csp/nonce to your library dependencies without adding the csp module as dependency of your module. Not sure if it's a bug, but Drupal\Core\Asset\LibraryDependencyResolver::doGetDependencies ignores any libraries that are listed under dependencies but don't actually exist.

when the csp/nonce library is present on a response and a directive includes a nonce value, the csp.policy_alter event listener will add the nonce value to drupalSettings

How would a directive currently include a nonce value? Shouldn't the module provide an option to do this? The nonce is random, so we can't hardcode it in config.

Note for module maintainers: you can add csp/nonce to your library dependencies without adding the csp module as dependency of your module.

Interesting; good to know. I think the recommended way will be to use hook_library_info_alter() to add the dependency if the csp module is enabled.

How would a directive currently include a nonce value? Shouldn't the module provide an option to do this? The nonce is random, so we can't hardcode it in config.

The csp.nonce service will generate a value as needed so that all modules have the same value for a single response, and modules can use Nonce::getSource() to get the formatted value for adding to the necessary directives in their csp.policy_alter event listener. (CSP handles removing duplicates in the header if multiple modules use the nonce value on the same directive).

(I don't think the nonce-source should be automatically added to a policy header if the library is present as a dependency for the response; it's uncertain if any module is always adding a nonce source, which directives it's needed for, or if it will be needed for either or both of a report-only and enforced policy).

Makes sense, thanks! Is it possible for themes to alter the policy? Otherwise we won't be able to use this for ✨ Support Content Security Policy Postponed .

Is it possible for themes to alter the policy?

It looks like no, since themes can't define services 😔: #2002606: Allow themes to provide services.yml →

I've opened a new plan issue for figuring out changes for better support of themes (and maybe easier options for modules too): 🌱 Better CSP support for themes Active

Automatically closed - issue fixed for 2 weeks with no activity.