Considering generating a nonce for the Flutter Scripts in index.html

[jxstxn1]

We should consider adding a nonce to helmet and the index.html to be able to remove unsafe-inline and unsafe-eval.

How I think it could work:

• In the BuildCommand we check the amount of script tags in the build index.html.
• Then we generate this amount of nonces and add them to middlewares.dart and afterwards behind every script tag in the index.html

Edit: TIL Nonce should be generated dynamically. I'll try the same approach but with a sha256 hash

Edit2: API will be that we probally can offer hash and nonce scripts, so users will have to add either 'sha256-'/'sha384-'/'sha512' or 'nonce-' to their script tags. The rest will be handled by us while building the container and serving the application @robiness @passsy your thoughts about this

[passsy]

nonce should work. Set a nonce in the Content-Security-Policy header and set the same nonce to all <script> tags that you serve for that request. It requires editing the HTML though.

sha256 is the same thing, but instead of editing the HTML, a hash of all inline-js will be set in the header. I prefer sha256, because you save yourself manipulating HTML, and the responses can be cached.