[v2.x] add nonce to the script tag for unsafe-inline - Githubissues

paypal / react-engine

a composite render engine for universal (isomorphic) express apps to render both plain react views and react-router views

Apache License 2.0

1.45k stars 130 forks source link

[v2.x] add nonce to the script tag for unsafe-inline #194

Closed kumarrishav closed 6 years ago

kumarrishav commented 6 years ago

Fix: #193

kumarrishav commented 6 years ago

@linkRace review?

linkRace commented 6 years ago

This would be the general idea, yes. Just curious where the nonce would get added to the data attribute.

kumarrishav commented 6 years ago

@linkRace yup it will. part of data objectnonce: 'XCOuVO2tFc4PeKhx0ZlWWfABwsLjnzRaIhim3iTFLRZ2IUCB', _csrf: 'cZzTfhRzUK97Zj0qHI0V3p8R8iOQgUflcAS9g=', Similar way we have context, locale too in data object.

I checked in the console.log of data

kumarrishav commented 6 years ago

https://github.com/paypal/react-engine/blob/v2.x/lib/server.js#L99

kumarrishav commented 6 years ago

so, all the props of kraken comes into react-engine via options arg which get merged into data https://github.com/kumarrishav/react-engine/blob/aea30c81ddee4a163ace234db4d96c066efdae39/lib/server.js#L71 . i will replace data with options which makes more sense :).

samsel commented 6 years ago

just curious, are you still using v2?

kumarrishav commented 6 years ago

yeah, when the project was started v2.x was available that time. Probably this quarter we might do the update.

kumarrishav commented 6 years ago

@samsel done.