Comments (7)
khalwat
commented on August 23, 2024
@tomkiss I'm slightly confused, there is no license for Twigpack, it's free?
from craft-twigpack.
khalwat
commented on August 23, 2024
So there's no nonce support currently, but I would be open to adding it if you like.
PRs are welcome too.
from craft-twigpack.
khalwat
commented on August 23, 2024
@tomkiss Where would the value in nonce="" come from? Would it be a constant you pass in, or would it be from the webpack generated hash or...?
from craft-twigpack.
tomkiss
commented on August 23, 2024
Hi, sorry for the delayed response.
The nonce itself is unique for each request, so wouldn't be part of the build process. I've less experience of nonces on PHP projects and more from React - but I notice that there is a Craft plugin that supports nonces for CSP out there, at least as one implementation example:
https://plugins.craftcms.com/content-security-policy
*RE: "buying a license", lol - I went on a bit of a license-buying rampage and lost track a bit. Aforementioned baby-brain something to do with the confusion perhaps :)
from craft-twigpack.
khalwat
commented on August 23, 2024
So I look a look at the spec: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
A whitelist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource’s policy is otherwise trivial. See unsafe inline script for an example. Specifying nonce makes a modern browser ignore 'unsafe-inline' which could still be set for older browsers without nonce support.
The plugin you referenced does it thusly:
https://github.com/born05/craft-csp/blob/master/src/services/Headers.php#L125
It's not clear to me that this is unguessable, but if the random seed is isn't deterministic, I guess it'd be okay.
The rub here is that based on what I read, any nonces that are used in the script/style tags then also appear to need to be sent as part of the header as well.
It seems that to do this right, I'd need to send headers as well as applying the nonce to the script/style tags. Or were you envisioning handling that part yourself?
from craft-twigpack.
khalwat
commented on August 23, 2024
@tomkiss okay I added support for cspNonce in 66a566c
You can set your semVer to dev-develop and do a composer update to pull it down and give it a whirl.
I have not fully tested the implementation yet, so feedback would be great!
from craft-twigpack.
khalwat
commented on August 23, 2024
Added in 1.2.2: https://github.com/nystudio107/craft-twigpack/releases/tag/1.2.2
from craft-twigpack.
Related Issues (20)
- webpack-dev-server/HMR not working in Nitro setup HOT 3
- includeCriticalCssTags() returns empty HOT 1
- Hashes wrong (cache?) in production - ideas why? HOT 3
- Does update 1.2.4 removes the need for the styles.js workaround? HOT 1
- support chunks-webpack-plugin HOT 1
- missing "simplified version" of the config HOT 1
- Let me define a fallback CSS file for criticalcss HOT 1
- "modern" script not loaded when async is missing HOT 2
- Cannot load criticalcss if router file is used instead of a the specific template path in the CMS HOT 1
- Issues with twigpack cache on Heroku HOT 4
- Request to mix-manifest.json is malformed HOT 2
- Aliases like @webroot not working HOT 5
- ViteJS Support HOT 9
- Rendering templates with multiple getModuleUri calls is extremely slow after release v1.2.12 HOT 1
- ErrorException thrown when open_basedir restriction in effect HOT 7
- getModuleUri giving the correct URL to CSS but includeCssModule doesn't include the CSS on the page HOT 2
- Twigpack is stuck on where it thinks mix-manifest is located HOT 8
- 4.0.0 release HOT 4
- Craft 5 & Craft 4 out of beta HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from craft-twigpack.