Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Apply CSP nonce when createElement is called

See original GitHub issue

Hi!

Firstly, thanks for your work on this project! 👋

Today I used patch-package to patch @hotwired/turbo@7.1.0 for the project I’m working on.

There is an issue which is documented here https://github.com/hotwired/turbo/pull/501/files but that fix doesn’t exist in this file.

Here is the diff that solved my problem:

diff --git a/node_modules/@hotwired/turbo/dist/turbo.es2017-esm.js b/node_modules/@hotwired/turbo/dist/turbo.es2017-esm.js
index 963422f..1b164fe 100644
--- a/node_modules/@hotwired/turbo/dist/turbo.es2017-esm.js
+++ b/node_modules/@hotwired/turbo/dist/turbo.es2017-esm.js
@@ -1215,6 +1215,9 @@ class ProgressBar {
         const element = document.createElement("style");
         element.type = "text/css";
         element.textContent = ProgressBar.defaultCSS;
+
+        element.nonce = document.head.querySelector('meta[name="csp-nonce"]')?.getAttribute('content')
+
         return element;
     }
     createProgressElement() {

This issue body was partially generated by patch-package.

Issue Analytics

  • State:open
  • Created a year ago
  • Comments:10 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
guckicommented, Nov 18, 2022

Unfortunately, the file doesn’t contain any helpful comments. But I’ll find out anyway 😉 But thank you very much for your help. I think we are done here, as the initial issue with turbo.es2017-esm.js is resolved by your fix.

0reactions
riencecommented, Nov 18, 2022

Here’s what I could suggest you to do

  1. Open web developer console and click link to loadWidgetCss.js - you’ll probably see a code that is building style tag.
    • You might consider adding code that is reading csp tag from head and apply to that style element e.g. element.nonce = ''
  2. While looking at loadWidgetCss.js - take a look at top of this file - maybe you’ll find information where does it come from
Read more comments on GitHub >

github_iconTop Results From Across the Web

FAQ - Content Security Policy
Method #1: Use CSP hashes instead of nonces. It's possible to calculate SHA hashes of static inline <script> blocks with this tool, or...
Read more >
CSP: script-src - HTTP - MDN Web Docs - Mozilla
The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded ...
Read more >
CSP Nonce Examples and Guide - Content Security Policy
A nonce is a randomly generated token that should be used only one time. What is a nonce? The word nonce can be...
Read more >
Use Tag Manager with a Content Security Policy
Enable the container tag to use CSP ... Tag Manager will then propagate the nonce to any scripts that it adds to the...
Read more >
Mitigate cross-site scripting (XSS) with a strict Content Security ...
A Content Security Policy based on nonces or hashes is often called a strict CSP. When an application uses a strict CSP, attackers...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Turbo will not navigate to URLs that have a `.` in the pathname

Next page

Easy way to update <title> and other elements using Frames