search

coderello / laravel-shared-data

📦 An easy way to share the data from your backend to the JavaScript.
https://coderello.com/docs/laravel-shared-data/1.0/sharing-data
MIT License
321 stars 22 forks source link

Nonce CSP is not supported #29

Closed mariusaustr closed 2 years ago

mariusaustr commented 3 years ago

There is no way to use nonce content security policy, since Coderello\SharedData\SharedData::render() method returns <script> with no way to inject additional data.

public function render(): string
    {
        return '<script>'
            .'window["'.$this->getJsNamespace().'"]='.$this->toJson().';'
            .'window["sharedDataNamespace"]="'.$this->getJsNamespace().'";'
            .($this->getJsHelperEnabled() ? $this->getJsHelper().';' : '')
            .'</script>';
    }

I think either class constructor or render method could accept nonce value.

hivokas commented 2 years ago

Thanks, @mariusaustr! It makes sense.

I've published a new release to support that: https://github.com/coderello/laravel-shared-data/releases/tag/3.2.0