Problem/Motivation

Hello,
I want to share an experience when you want to use `strict-dynamic` in your CSP.
You need to use `nonce` or `hash` properties on yours scripts.

Advantages: The purpose to use nonce and hash in CSP with strict-dynamic source list keyword allows you to simplify your CSP policy by favoring hashes and nonce over domain host lists.

Actually, i have a custom module to perform extras functionality to the CSP module.
I need to overriding asset.js.collection_renderer service from core only with decorate to place nonce property to script declared from Drupal Libraries.
The class override the method render() to achieve that:

  /**
   * {@inheritdoc}
   *
   * Add nonce value to assets with src value.
   */
  public function render(array $js_assets): array {
    $placeholderKey = $this->nonce->getValue();

    // Render the core assets.
    $elements = $this->jsCollectionRenderer->render($js_assets);

    // Add nonce value to assets with src value.
    foreach ($elements as &$element) {
      // Attributes may only be set if this script is output independently.
      if (!empty($element['#attributes']['src'])) {
        $element['#attributes']['nonce'] = $placeholderKey;
      }
    }

    return $elements;
  }

Perhaps, the solution exist already on CSP module, but i didn't find it, despite i search deeply.

Is it possible, to discuss about this use case ?
It could be benefic that this extra was part of the module.

Thanks

Comments

ommanipadmehum created an issue. See original summary.

gapple’s picture

gapple
he/they
Primary language English
commented

There's some discussion of strict-dynamic in #3086924: Allow script / style by nonce.

Since the ability to use strict-dynamic is dependent on the libraries a site uses, and previously even Drupal Core itself was incompatible, there hasn't been work to integrate it as a feature in the module.
There was also originally the issue of browser support for strict-dynamic, but I don't think that's still a concern with all modern browsers now supporting CSP 3.

I think core support, csp modules features, and browser support have all progressed enough that restoring strict-dynamic as a configurable option on the module is feasible now, but it will need some thought for implementation given that the target user for the config form is site builders. The effect of using it needs to be clear, reporting of violations visible, and easily reversible.

ommanipadmehum’s picture

ommanipadmehum commented

Thanks for the answer.
May be we can close this issue as duplicate of issue #3086924: Allow script / style by nonce to continue in it.

gapple’s picture

gapple
he/they
Primary language English
commented
Title: Use case: strict-dynamic and nonce » Option to use strict-dynamic for scripts
Status: Active » Postponed
Related issues: +#3086924: Allow script / style by nonce

I'll postpone this issue as a separate item to enable 'strict-dynamic' after making it possible to use a nonce for library scripts.