Expose nonce for javascript libraries

#3398536: Enable conditional/alternate directive values

If a directive includes 'unsafe-inline', modules may need to fall back to adding domains to the directive instead of a nonce (which would disable 'unsafe-inline' for other modules that rely on it). In that case the nonce should possibly not be added to drupalSettings¹

---

¹ I don't think it would be harmful - any scripts should be allowed by 'unsafe-inline' or a domain as necessary and the nonce on their tag would just be ignored.

I previously had a concern about exposing the nonce value to JavaScript like this, but since the nonce attribute on any page element is accessible to JavaScript, this does not expose anything not already available to any script via document.querySelector('script[nonce]').nonce.

Any script not conforming to the page's policy (e.g. an inline script element injected into the page which does not contain the correct nonce attribute) will be blocked, but if a bad script is able to bypass the policy (e.g. by being injected with a correct nonce attribute, or from a domain otherwise allowed by the policy), then it could already do significant harm regardless of being able to propagate the nonce to additional harmful scripts¹.

See https://github.com/w3c/webappsec-csp/issues/458

Note that browser dev tools will hide the nonce attribute's value when inspecting script elements, but it is still available to any scripts run on the page or in the console.

---

¹ Propagating the nonce could potentially do more harm by it's ability to allow additional scripts from any domain, while a domain-only policy would restrict the ability to load additional scripts to domains that have some measure of trust. A nonce-only policy (or with a very limited set of domains) could make an initial compromise more difficult though.

Note for module maintainers: you can add csp/nonce to your library dependencies without adding the csp module as dependency of your module.

Interesting; good to know. I think the recommended way will be to use hook_library_info_alter() to add the dependency if the csp module is enabled.

How would a directive currently include a nonce value? Shouldn't the module provide an option to do this? The nonce is random, so we can't hardcode it in config.

The csp.nonce service will generate a value as needed so that all modules have the same value for a single response, and modules can use Nonce::getSource() to get the formatted value for adding to the necessary directives in their csp.policy_alter event listener. (CSP handles removing duplicates in the header if multiple modules use the nonce value on the same directive).

(I don't think the nonce-source should be automatically added to a policy header if the library is present as a dependency for the response; it's uncertain if any module is always adding a nonce source, which directives it's needed for, or if it will be needed for either or both of a report-only and enforced policy).

Is it possible for themes to alter the policy?

It looks like no, not directly, since themes can't define services 😔: #2002606: Allow themes to provide services.yml
They can have a module dependency which has more capabilities: #474684: Allow themes to declare dependencies on modules

I've opened a new plan issue for figuring out changes for better support of themes (and maybe easier options for modules too): #3402029: Better CSP support for themes