fix: disable nonce creation by default

As the nonce should be unique per request, it doesn't make sense to enable this by default, as that requires additional work on the serving side. On the other side, having a (static) random value isn't correct either. So we keep the current logic, but disable nonce generation by default, making it opt-in. Closes trunk-rs#941
ctron · Jan 21, 2025 · ca1b05a · ca1b05a
1 parent 16cf708
commit ca1b05a
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/config/models/build.rs b/src/config/models/build.rs
@@ -153,7 +153,7 @@ pub struct Build {
     pub allow_self_closing_script: bool,
 
     /// Create 'nonce' attributes with a placeholder.
-    #[serde(default = "default::create_nonce")]
+    #[serde(default)]
     pub create_nonce: bool,
 
     /// The placeholder which is used in the 'nonce' attribute.
@@ -230,7 +230,7 @@ impl Default for Build {
             minify: Default::default(),
             no_sri: false,
             allow_self_closing_script: false,
-            create_nonce: true,
+            create_nonce: false,
             nonce_placeholder: default::nonce_placeholder(),
         }
     }