full-stack-template icon indicating copy to clipboard operation
full-stack-template copied to clipboard

Published 20 hours ago verified publisher icon TaitoUnited

Use Content-Security-Policy nonce

Open keskiju opened this issue 5 years ago • 0 comments

Some links:

  • https://scotthelme.co.uk/csp-nonce-support-in-nginx/
  • https://csp.withgoogle.com/docs/why-csp.html
  • https://csp.withgoogle.com/docs/strict-csp.html
  • https://csp.withgoogle.com/docs/adopting-csp.html

Some remarks:

  • Nonce should be changed on every page load. However, if server returns "HTTP 403 Not Modified", the nonce is changed on the http response header, but the browser (at least firefox) still uses the old content with the old nonce. Resolve this somehow (prevent 403 not modified?).
  • Meta tag should not be used as it exposes the nonce. Use http header instead.
  • CSP nonce should work also with React lazy loading.

keskiju avatar Dec 27 '19 06:12 keskiju