The way lusca and other security modules get around this is by generating a nonce in the res.locals field of a response, which should then be applied to a script tag as:
<script nonce={res.locals.nonce}>
We should add an option to put a nonce called from res.locals into the template defined above to eliminate this issue.
As shown here: https://github.com/paypal/react-engine/blob/v2.x/lib/server.js#L30 script tags are being used to generate inline code through this module. This forces developers to use an unsafe-inline CSP policy which introduces numerous security concerns.
The way lusca and other security modules get around this is by generating a nonce in the
res.localsfield of a response, which should then be applied to a script tag as:<script nonce={res.locals.nonce}>We should add an option to put a nonce called from res.locals into the template defined above to eliminate this issue.