Nonce value introduced in 1.4.3 is getting cached for anonymous users [#3576472]

Problem/Motivation

See issue: https://www.drupal.org/project/piwik_pro/issues/3574747
A nonce should be different on every page request.

Steps to reproduce

- Enable CSP nonce support in Piwik PRO module settings and inspect the source of some pages in your site.
- The nonce value within the code snippet stays the same on every page request for anonymous user.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork piwik_pro-3576472

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

3576472-nonce-value-introduced compare
Check out this branch for the first time

Check out existing branch, if you already have it locally

About issue forks

Comments

Comment #1

2 March 2026 at 07:54

dripa created an issue.

Comment #2

hartsak commented 2 March 2026 at 12:17

Hey @dripa!
Thanks for the ticket!
Is the issue still happening even after the nonce builder is being added in https://www.drupal.org/project/piwik_pro/issues/3574747 ?

If it still occurs, I was thinking, would using the library mode be a better option?

Comment #3

dripa commented 2 March 2026 at 14:06

Hi @hartsak,

I have set this in the module config:

Load Piwik PRO snippet from a library
Enable CSP nonce support

The nonce is now added in this section <script type="application/json" data-drupal-selector="drupal-settings-json"> and replaced in the library js file. But its still the same nonce per request for anonymous users, which is not allowed as stated in: https://content-security-policy.com/nonce/

Comment #4

hartsak commented 2 March 2026 at 15:12

Thanks for the answer @dripa!
I thought I followed the guide from here https://www.drupal.org/project/csp/issues/3447249 and the other links on the page, which suggest using the 2.x branch of the CSP module and the nonce builder service with placeholder.
The original code changes in https://www.drupal.org/project/piwik_pro/issues/3574747 were using the 1.x branch.

Do you have a suggestion how to properly keep the nonce value changing between requests made by anonymous users other than disabling caches entirely?

We might need to take another look at this!

Comment #5

dripa commented 24 April 2026 at 14:35

@hartsak We have success with this change in the nonce_generator module: https://git.drupalcode.org/project/nonce_generator/-/merge_requests/1/diffs

It adds a placeholder nonce which is being replaced by middleware so the nonce is unique per page request and the page is still cached.

We could implement that logic or use that module to generate the nonce.

Nonce value introduced in 1.4.3 is getting cached for anonymous users