Closed nathanalderson closed 1 month ago
Converting to draft because I just realized I need to handle the script on the OAuth2Redirect Plug as well.
Okay, I handled OpenApiSpex.Plug.SwaggerUIOAuth2Redirect
as well. I had to change the inline script from:
<body onload="run()">
<script>
function run() {...}
</script>
</body>
to:
<head>
<script>
(function run() {...})();
</script>
</head>
Because from my reading, there's no way to set a nonce on an event handler. Setting a nonce value on both the <script>
tag and the <body>
tag did not work.
We use a strict Content Security Policy (CSP) on our site which disallows inline scripts and inline styles unless they include the correct nonce value. This change allows the user to configure keys that, if given, will be used to look up nonces in the
conn.assigns
which are then used on the corresponding<script>
and<style>
elements.Configuration looks like this:
Or to use the same nonce for both:
This configuration matches the way this is handled by phoenix_live_dashboard and Oban Web.
If no keys are configured the nonce property is omitted, so this should be entirely backward compatible.