Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AuthenticationProtocolMessage.BuildFormPost script tag CSP nonce

See original GitHub issue

Is your feature request related to a problem? Please describe.

It is not recommended to enable unsafe-inline in content security policy (CSP), as it would allow JavaScript to run without any additional validation. In the event of cross site scripting, CSP would no longer be able to protect the user. It is recommended to instead use CSP nonce and remove unsafe-inline.

In AuthenticationProtocolMessage.BuildFormPost, there is no way to customize the JavaScript script tag to emit the CSP nonce.

Describe the solution you’d like

Provide an overload in AuthenticationProtocolMessage.BuildFormPost that accepts CSP nonce.

Additional context

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

Issue Analytics

State:
Created 4 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

mafurmancommented, May 31, 2019

Since it seems like using a hash in the CSP provides the same functionality as using a nonce, we’ve decided to add a property that returns the string value of the script so that it is easier for users to calculate the hash (for our 5.5.0 release). We plan on adding an overloaded method that allows users to specify a nonce in our 6.x release (tracked in this issue: #1199).

0reactions

huan086commented, May 18, 2019

User should pass “12345”. The nonce attribute name won’t change

I just realize using hash in the csp is an alternative way to solve the problem without changes in the source code

https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/