Ability to add a nonce-attribute to dynamically generated script tags to comply with strict Content-Security-Policy

See original GitHub issue

Hey 😃 I’m doing a bit of security-hardening and wanted to switch to to a stricter content security policy (e.g. Google’s Strict CSP3 Example).

This requires me adding nonce-attributes to all my script tags: <script nonce="random-base64-string">. I’ve managed to do this for almost all script tags.

For the js chunks exposed by webpack-flush-chunks I hacked my way there:

const myNonce = "someBase64String"
const { js: rawJs, styles, cssHash: rawCssHash } = flushChunks(
  clientStats,
  { chunkNames }
)
const js = rawJs.toString().replace('<script', `<script nonce="${myNonce}"`)
const cssHash = rawCssHash.toString().replace('<script', `<script nonce="${myNonce}"`)

However, I haven’t managed to find a way to get these nonces into the dynamically loaded chunks.

According to the webpack docs it’s simply a matter of setting __webpack_nonce__ = 'someBase64String'; at the top of my entry file (the render.js from the redux-first-router-demo repo). But no luck. No matter where I set the webpack-nonce, it doesn’t pick it up.

Wasn’t sure whether that’s more of a webpack-flush-chunks or babel-plugin-universal-import (or something else entirely?) responsibility so I open this issue here.

Any advice?

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:2
  • Comments:8 (1 by maintainers)

github_iconTop GitHub Comments

1reaction
faceyspaceycommented, Jun 12, 2018

I don’t think this makes sense to be in our API. It can be achieved by using the low level arrays returned and manually build the scripts. As for the css hash script, use cssHashRaw and build that script. That’s the whole purpose of also offering the low level API.

@zackljackson you have a lot on your plate right now. This is a distraction.

@chapati23 if there’s something I’m missing regarding why this cant be accomplished in userland, let us know in a PR. You know these tools very well, and this is our smallest package. Should be no big deal for you brotha. Sorry about this one brotha.

0reactions
Voronarcommented, Aug 12, 2020
Read more comments on GitHub >

github_iconTop Results From Across the Web

Mitigate cross-site scripting (XSS) with a strict Content Security ...
Learn how to deploy a CSP based on script nonces or hashes as a defense-in-depth against cross-site scripting.
Read more >
strict-dynamic in CSP - Content Security Policy
The strict-dynamic source list keyword allows you to simplify your CSP policy by favoring hashes and nonces over domain host lists.
Read more >
Strict CSP - Content Security Policy
To enable a strict CSP policy, most applications will need to make the following changes: Add a nonce attribute to all <script> elements....
Read more >
Content Security Policy: How to create an Iron-Clad nonce ...
In this Article, I will provide a step by step process on how to implement a CSP3 compliant strict-dynamic CSP policy and properly...
Read more >
What is the correct way to load a script with the 'strict-dynamic ...
This means that attackers should not be able to inject their own code if, for example, 'unsafe-inline' was not explicitly allowed (which is...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found