Set nonces on <script> and <style> elements if configured #593
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Converting to draft because I just realized I need to handle the script on the OAuth2Redirect Plug as well. |
|
Okay, I handled <body onload="run()">
<script>
function run() {...}
</script>
</body>to: <head>
<script>
(function run() {...})();
</script>
</head>Because from my reading, there's no way to set a nonce on an event handler. Setting a nonce value on both the |
hamir-suspect
added a commit
to renderedtext/open_api_spex
that referenced
this pull request
May 14, 2024
* Exclude empty paths from spec (open-api-spex#583) * Exclude empty paths from spec * fix: assert_operation_response header lookup (open-api-spex#584) * fix: assert_operation_response header lookup * Release version 3.18.1 * Fix 'AllOf cast returns a map, but I expected a struct' (open-api-spex#592) * Add failing test * Cast result of AllOf cast into a struct * Shorter module name * Add missing NoneCache test * Release version 3.18.2 * Relax dependency constraint on ymlr to allow version ~> 5.0 (open-api-spex#586) * relax dependency on ymlr, and fix some tests * test with more elixir versions * Update Elixir version test matrix (open-api-spex#602) * Update Elixir version test matrix * Fix map key order dependent test * Release version 3.18.3 * Support response code ranges See: https://swagger.io/docs/specification/describing-responses/ * Release version 3.19.0 * Add notice that body params are not merged into Conn.params whne using cast and validate plug (open-api-spex#589) * Set nonces on <script> and <style> elements if configured (open-api-spex#593) * Allow script and style nonces * Allow nonces on the SwaggerUIOAuth2Redirect plug as well --------- Co-authored-by: Alisina Bahadori <[email protected]> Co-authored-by: Matt Sutkowski <[email protected]> Co-authored-by: Dimitris Zorbas <[email protected]> Co-authored-by: Angelika Tyborska <[email protected]> Co-authored-by: Aleksandr Lossenko <[email protected]> Co-authored-by: Nathan Alderson <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We use a strict Content Security Policy (CSP) on our site which disallows inline scripts and inline styles unless they include the correct nonce value. This change allows the user to configure keys that, if given, will be used to look up nonces in the
conn.assignswhich are then used on the corresponding<script>and<style>elements.Configuration looks like this:
Or to use the same nonce for both:
This configuration matches the way this is handled by phoenix_live_dashboard and Oban Web.
If no keys are configured the nonce property is omitted, so this should be entirely backward compatible.