Support nonce attribute

abiyasa commented 6 years ago

The current ebay-font Marko component will cause Content Security Policy (CSP) warning or even rejection due to missing nonce attribute on inline <script> and <style> tag.

Please add support either:

add optional nonce attribute which will be inject nonce value to <script> and <style> element at the Marko template
or utilize lasso-nonce attribute

Thanks!

RajaRamu commented 6 years ago

Thank you @abiyasa for reporting it. it is a common module for all the pages. its very hard to generate CSP header across all the page and it comes with maintainability cost. so we don't need change.

abiyasa commented 6 years ago

Hi @RajaRamu , sorry for not explaining clear enough. What I meant is that the CSP header should not be handled by this module. The ebay-font component should just receive the given nonce value and inject it to script and style element. So no need to maintain the CSP header.

Naive implementation on template.marko would be:

<style nonce=input.nonce>
  ...
</style>
<script nonce=input.nonce>
  ...
</script>

You just pass the value through the component attribute nonce. How to use the component would be:

<html>
  <head>
    <ebay-font nonce="2726c7f26c" />
  </head>
  ...
</html>

Note that the value "2726c7f26c" is provided by outside and ebay-font does not have to care about where it comes from.

For lasso, it's even easier. You just add lasso-nonce to the template.marko, lasso will automatically inject the nonce value. However, we need to implement both solutions (nonce attribute and lasso-nonce) to support project with or without lasso (e.g webpack)

eBay / ebay-font

Support nonce attribute #28