How does nonce generation work? #603
Description
Hi there,
I've just installed nuxt-security module on our website and I'm having question regarding nonce generation and configuration.
As far as I could read, nonce attribute is supposed to be added on every script tag (for example) with the right value.
In our case, I can see "Content-Security-Policy" header of my request a nonce value to be set :
but ... I was expecting also that this nonce attribute value was also added to my scripts:
and this is not the case.
None of the injected scripts has nonce value.
So ... my question is (even if I think I know the answer :p) : is it the expected behavior ?
I'm running:
"nuxt": "^3.12.3",
"nuxt-security": "^2.1.5",
and nuxt security module config:
security: {
// corsHandler: false,
// nonce: true,
headers: {
// crossOriginEmbedderPolicy: 'credentialless',
// crossOriginOpenerPolicy: 'same-origin',
crossOriginResourcePolicy: false,
crossOriginEmbedderPolicy: false,
crossOriginOpenerPolicy: false,
contentSecurityPolicy: {
'script-src': [
"'nonce-{{nonce}}'",
"'strict-dynamic'",
],
'style-src': ["'self'", "'unsafe-inline'"],
'worker-src': ["'self'", 'blob:'],
'object-src': ['blob:'],
'img-src': ['*', 'data:'],
'frame-ancestors': [
'self', // and some other domains
],
},
},
}
Thanks a lot for your help.
Best regards