nonce values are being added to the script and style tags in my HTML, but the nonces aren't in the CSP string itself. This appears similar to https://github.com/slackhq/csp-html-webpack-plugin/issues/93 but I'm on Mac OS and I'm using the latest node v14.
I am using an HTML template. A minimal webpack config with this exact template does not exhibit the issue, which makes me think something about my more complex webpack config is preventing the nonces from being added to the CSP.
Curiously, hashes for inline scripts do show up in the CSP string, so it is definitely being generated.
What type of issue is this? (place an x in one of the [ ])
[x] bug
[ ] enhancement (feature request)
[x] question
[ ] documentation related
[ ] testing related
[ ] discussion
Requirements (place an x in each of the [ ])
[x] I've read and understood the Contributing guidelines and have done my best effort to follow them.
[x] I've searched for any related issues and avoided creating a duplicate issue.
Bug Report
I am using this config to generate a CSP.
plugins: [
new HtmlWebpackPlugin({
template: 'src/www/index.tpl.html',
inject: 'body',
filename: 'index.html'
}),
new CspHtmlWebpackPlugin({
'script-src': '',
'style-src': ''
}),
// I am using other plugins after these: mini-css-extract-plugin, webpack.IgnorePlugin, copy-webpack-plugin, dotenv-webpack, webpack.ProvidePlugin
]
That is: it creates a CSP using hashes for inline scripts, but there are no nonces for script-src or style-src. The nonce attribute is present in a number of <script> and <style> tags in the final HTML document.
Reproducible in:
slackhq/csp-html-webpack-plugin version: 5.1.0
node version: 14.19.3
OS version(s): Mac OS 12.4
Steps to reproduce:
Use the above config to build the app.
View the built index.html asset.
Expected result:
The CSP content to have the nonce values in it.
Actual result:
The nonce values are attached to the script and style tags but are not present in the CSP string itself.
Attachments:
Logs, screenshots, screencast, sample project, funny gif, etc.
Description
nonce values are being added to the script and style tags in my HTML, but the nonces aren't in the CSP string itself. This appears similar to https://github.com/slackhq/csp-html-webpack-plugin/issues/93 but I'm on Mac OS and I'm using the latest node v14.
I am using an HTML template. A minimal webpack config with this exact template does not exhibit the issue, which makes me think something about my more complex webpack config is preventing the nonces from being added to the CSP.
Curiously, hashes for inline scripts do show up in the CSP string, so it is definitely being generated.
What type of issue is this? (place an
x
in one of the[ ]
)Requirements (place an
x
in each of the[ ]
)Bug Report
I am using this config to generate a CSP.
It results in a CSP like the following:
That is: it creates a CSP using hashes for inline scripts, but there are no nonces for
script-src
orstyle-src
. Thenonce
attribute is present in a number of<script>
and<style>
tags in the final HTML document.Reproducible in:
slackhq/csp-html-webpack-plugin version: 5.1.0
node version: 14.19.3
OS version(s): Mac OS 12.4
Steps to reproduce:
Expected result:
The CSP content to have the nonce values in it.
Actual result:
The nonce values are attached to the script and style tags but are not present in the CSP string itself.
Attachments:
Logs, screenshots, screencast, sample project, funny gif, etc.