Problem/Motivation

The Content-Security-Policy (CSP) module facilitates adding a nonce to inline scripts. Any policy that blocks inline scripts will render this module useless unless we use a nonce.

Steps to reproduce

Proposed resolution

  • Add additional script field that gets wrapped in script tags automatically (using html_tag render element)
  • Add CSP nonce integration to script tags

Alternatively we would have to parse script tags from the snippet and add the nonce attribute there.

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork script_manager-3476304

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

mstrelan created an issue. See original summary.

mstrelan opened merge request !5

mstrelan’s picture

mstrelan commented
Status: Active » Needs work

First pass, needs a bit of cleanup. Seems to work, needs tests and scrutiny.

mstrelan’s picture

mstrelan commented
Issue summary: View changes

In practice we have snippets that combine <script>, <style> and <link> tags in the same snippet, so unfortunately the original approach of adding a checkbox doesn't work. Have updated the approach to provide a separate field for entering the javascript, and repurposed the existing field for supporting markup.

mstrelan’s picture

mstrelan commented
Status: Needs work » Needs review
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Status: Needs review » Reviewed & tested by the community