Version: 2.0.0 Deion When using CSP head

This is now fixed in <a href="https://github.com/marko-js/webpack/blob/master/CHANGELO

This should be straight forward for the s inlined. Do you happ

Do you happen to know if s added dynamically via js also require th

Add CSP nonce to the rendered script about webpack HOT 3 CLOSED

MiloCasagrande commented on June 12, 2024 1

Add CSP nonce to the rendered script

from webpack.

Comments (3)

DylanPiercey commented on June 12, 2024 1

This is now fixed in 3.0.0. You must also upgrade Marko to 4.18.47 and then you can pass a cspNonce as a Marko global and it will be picked up here (as well as other scripts output by Marko).

Eg:

template.render({ $global: { cspNonce: "..." } });

from webpack.

DylanPiercey commented on June 12, 2024

This should be straight forward for the scripts inlined.

Do you happen to know if scripts added dynamically via js also require the nonce? It seems webpack is doing that here https://github.com/webpack/webpack/pull/3210/files#diff-82578d379e84f28902072d7b5efc5be0R43

from webpack.

MiloCasagrande commented on June 12, 2024

Do you happen to know if scripts added dynamically via js also require the nonce? It seems webpack is doing that here https://github.com/webpack/webpack/pull/3210/files#diff-82578d379e84f28902072d7b5efc5be0R43

It would be better yes, since those scripts would need to be trusted as well.

There is also a CSP level 3 option for the script-src directive called strict-dynamic that states that dynamically loaded scripts from an already allowed script are safe; but I'm not sure how much support there is for CSP level 3 out there though.

from webpack.

Recommend Projects