search

UKHomeOfficeForms / hof-template-partials

DEPRECATED, this is built into hof v19 (ノ◕ヮ◕)ノ*:・゚✧
0 stars 3 forks source link

Add placeholder for `nonce` to Google analytics script tag #12

Open JoeChapman opened 7 years ago

JoeChapman commented 7 years ago

So we can implement a Content Security Policy that does not allow unsafe-inline scripts to be loaded we should sign our script tags with a nonce.

A nonce can be generated in server middleware on each request using npm uuid, assigned to the locals object and the CSP script-src directive.

When the template is rendered the placeholder is substituted with the value of locals.nonce

If the value of the placeholder attribute (the nonce value we just set) and the value of the nonce on the server match then the request can proceed

Associated issues https://github.com/UKHomeOfficeForms/hof-bootstrap/issues/105 https://github.com/alphagov/govuk_template/issues/258

JoeChapman commented 7 years ago

PR for script tag placeholder: https://github.com/alphagov/govuk_template/pull/268