Contrib.social

Use case: strict-dynamic and nonce

Open on Drupal.org →
Created on 3 March 2025, about 1 month ago

Problem/Motivation

Hello,
I want to share an experience when you want to use `strict-dynamic` in your CSP.
You need to use `nonce` or `hash` properties on yours scripts.

Advantages: The purpose to use nonce and hash in CSP with strict-dynamic source list keyword allows you to simplify your CSP policy by favoring hashes and nonce over domain host lists.

Actually, i have a custom module to perform extras functionality to the CSP module.
I need to overriding asset.js.collection_renderer service from core only with decorate to place nonce property to script declared from Drupal Libraries.
The class override the method render() to achieve that:

  /**
   * {@inheritdoc}
   *
   * Add nonce value to assets with src value.
   */
  public function render(array $js_assets): array {
    $placeholderKey = $this->nonce->getValue();

    // Render the core assets.
    $elements = $this->jsCollectionRenderer->render($js_assets);

    // Add nonce value to assets with src value.
    foreach ($elements as &$element) {
      // Attributes may only be set if this script is output independently.
      if (!empty($element['#attributes']['src'])) {
        $element['#attributes']['nonce'] = $placeholderKey;
      }
    }

    return $elements;
  }

Perhaps, the solution exist already on CSP module, but i didn't find it, despite i search deeply.

Is it possible, to discuss about this use case ?
It could be benefic that this extra was part of the module.

Thanks

📌 Task
Status

Active

Version

2.0

Component

Miscellaneous

Created by

🇫🇷France OmManiPadmeHum

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @OmManiPadmeHum
  • Comment about 1 month ago
    🇨🇦Canada gapple

    There's some discussion of strict-dynamic in Allow script / style by nonce Postponed .

    Since the ability to use strict-dynamic is dependent on the libraries a site uses, and previously even Drupal Core itself was incompatible, there hasn't been work to integrate it as a feature in the module.
    There was also originally the issue of browser support for strict-dynamic, but I don't think that's still a concern with all modern browsers now supporting CSP 3.

    I think core support, csp modules features, and browser support have all progressed enough that restoring strict-dynamic as a configurable option on the module is feasible now, but it will need some thought for implementation given that the target user for the config form is site builders. The effect of using it needs to be clear, reporting of violations visible, and easily reversible.

  • Comment 28 days ago
    🇫🇷France OmManiPadmeHum

    Thanks for the answer.
    May be we can close this issue as duplicate of issue Allow script / style by nonce Postponed to continue in it.

  • Comment 25 days ago
    🇨🇦Canada gapple

    I'll postpone this issue as a separate item to enable 'strict-dynamic' after making it possible to use a nonce for library scripts.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024