idea: check for nonce

[rvaneijk]

Hi,

The current report on SRI does not check for nonce, but flags non-SRI if no hash is implemented.

For example, <script 'nonce-d3gxy7nm8y4yjr' src="https://d3gxy7nm8y4yjr.cloudfront.net/js/embed.js" type="text/javascript"> is flagged as 'Subresource Integrity (SRI) not implemented,'

I ran the report on the URI https://www.natuurlijkehaarkleuring.nl/afspraak/

Proposed resulution: check for nonce-script tags when running the SRI reporter.

[andersju]

Hi!

Nonces are not related to SRI though. Nonces are for whitelisting inline JS when you really really have to, as a way to avoid using unsafe-inline (but of course it's best not to use inline JS at all). See for example https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script

Maybe you meant to use SRI there? I see SRI is correctly implemented on all the other script/style elements, so it's a bit misleading that the results say "Subresource Integrity (SRI) not implemented, but all external resources are loaded over HTTPS" - I'll try to do something about that.

[Seirdy]

Might even be better to suggest hashes over nonces, since hashes actually validate the contents of the resource.