-
-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow users to optionally supply a CSP nonce to generated inline script #84
Conversation
By extension, it is enforced that the `csp_nonce` param is a `str` instance.
Wouldn't it be easier to pass |
Since the extension already generates an inline helper script, I believe that providing an option for a CSP nonce would not complicate things. In fact, it saves time that would otherwise be spent in setting up a custom solution of "No-JS-and-Custom-Options". To add more to the list of benefits, one can also provide the CSP nonce in the script tags required for embedding |
What I say it complicates things, I mean it makes this package more complex and harder to maintain. I would also posit that in matters of security, I would not trust that some random extension such as this one knows how to set up the The fact of the matter is that CSP is going to be implemented by a tiny fraction of the people who use this package. Those people will have to go through the effort of setting up their CSP settings anyway, so they might as well invoke the script in their own preferred way, which is something that they'll have to do anyway for their other scripts. I think having SRI in this package makes sense, because this is a standalone thing that people benefit from even without understanding what SRI is. CSP is not like that, you have to know and willingly set it up, so it isn't a good fit for this package. Sorry. |
May I ask how will it complicate things, even though it is nothing but a simple textual field, which ultimately may or may not be used by the users, just like the other fields?
How is this any different from having an option for setting up CSP? In fact, users come to know about CSP in the context of SRI. |
I explained it above. SRI works on its own and is enabled by default for everybody, the developer doesn't even need to know it is used. Adding a CSP nonce serves no purpose unless you have gone through the effort of setting up CSP somewhere else in your application. If you did that, then you have a bunch of |
Given that this extension generates the inline script and there is no way to turn it off, what else do you suggest that will prevent any CSP errors? |
Pass |
But that still generates the That is what I'm trying to validate via CSP, but the extension provides no option for turning that off (not recommended) or loading it from local file. |
Okay, sorry, now I think I understand the problem. I'll give the PR another look tomorrow. |
A possible fix is in the main branch. You can use |
Ah! I was going to implement your current solution and update the pull request! Thanks! 👍 |
An added benefit of this solution is that you can now also serve the Flask-Moment JS code as its own resource. I put this example in the docs: @app.route('/flask-moment.js')
def flask_moment_js():
return moment.flask_moment_js(), 200, {'Content-Type': 'application/javascript'} So then in your template you can do: <script src="/flask-moment.js"></script> So once again you can add any needed attributes to the script tag, and also benefit from caching at the browser, which wasn't possible before! |
Simply excellent and beautifully decoupled! And thanks for all your valuable Flask resources! |
If the user has set up a CSP like:
The
random
is substituted with the provided nonce.It is recommended that the user use an extension like
Flask-Talisman
and set it up as:and then load
Flask-Moment
like:Valuable resources:
csp_nonce()
functionFlask-Talisman
project