Sorry about this subject perhaps being to broad but I am struggling to find about how and why to implement nonce support for this module.
My current understanding is that currently this module needs to have unsafe-inline set if the https://www.drupal.org/project/csp → module is enabled.
If we want to disable this as recommended by https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Securi... I suppose we need to:
1. Add a nonce to the CSP policy e.g.
Content-Security-Policy: script-src 'nonce-2726c7f26c'
2. Add this nonce to the inline script tag generated by this module. e.g.
<script nonce="2726c7f26c">window.dataLayer = window.dataLayer || []; window.dataLayer.push({"drupalLanguage"....</script>
My understanding for now is that:
1. Add a nonce to the CSP policy can be done by creating a subscriber and act upon the policy alter event as stated here https://www.drupal.org/docs/extending-drupal/contributed-modules/contrib... →
2. Of this I am not sure how to implement? I do read we need to take into account caching and use placeholders but am not sure which hook to use. See https://www.drupal.org/docs/extending-drupal/contributed-modules/contrib... →
Is this the correct way to implement this or is this perhaps another way to make the use of unsafe-inline unnecessary when using the csp module in combination with this module.
Active
2.1
Code
You could have a look at how Google Tag → solved this issue in ✨ Support Content Security Policy nonce Active . I think you could basically base your whole solution on the patch in that issue. Just copy & paste :-)
@peter-törnstrand thanks for the suggestion. I will look into that.