feat: possibility to add nonce attribute on script and style tags #2996
Conversation
|
Update. After implementing the nonce, we still have problems with unsafe-eval. I've seen someone has a solution for this: #1287. Unfortunately the PR was closed because it was not supported in older browsers. Now we are a few years later. IE11 is not supported anymore. Is it possible to add it now? |
|
FYI, Firefox blocks all inline styles without a nonce. So basically Stencil cannot be used in production. Please prioritize this issue! |
|
@kliehm Can you provide an example of Firefox blocking inline styles without a nonce? I'm able to get the following (although basic) HTML with inline CSS to render just fine in the following versions of Firefox:
<!DOCTYPE html>
<html>
<body>
<h1 style="color:blue;text-align:center;">This is a heading</h1>
<p style="color:red;">This is a paragraph.</p>
</body>
</html> EDIT: I didn't see #3203 until after I commented here. Let's move the discussion to #3203 |
|
@rwaskiewicz It will go wrong where insertBefore is being used. Take this as an example. Maybe te best solution would be what I created in this PR: #2996 Could you add this functionality in the core? A lot of people would be very pleased! |
What I said above is solved because we don't support IE11 anymore. Using the nonce is still necessary but with that we will not get any errors anymore |
|
Initial support for CSP Nonces have been added in today's release of Stencil 2.22.1, with our official guidance on nonce usage with Stencil published here. As a result, I'm going to close this pull request. Thanks again for helping making Stencil better! |
That is great news @rwaskiewicz! Thank you for this. |
This is about this topic: #1392
I added the possibility to add a nonce attribute on the <style> and <script> tags who are dynamically created by Stencil.
The value of the nonce attribute can be given with a global window variable.