You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
nonce values are being added to the script and style tags in my HTML, but the nonces aren't in the CSP string itself. This appears similar to #93 but I'm on Mac OS and I'm using the latest node v14.
I am using an HTML template. A minimal webpack config with this exact template does not exhibit the issue, which makes me think something about my more complex webpack config is preventing the nonces from being added to the CSP.
Curiously, hashes for inline scripts do show up in the CSP string, so it is definitely being generated.
What type of issue is this? (place an x in one of the [ ])
bug
enhancement (feature request)
question
documentation related
testing related
discussion
Requirements (place an x in each of the [ ])
I've read and understood the Contributing guidelines and have done my best effort to follow them.
I've searched for any related issues and avoided creating a duplicate issue.
Bug Report
I am using this config to generate a CSP.
plugins: [
new HtmlWebpackPlugin({
template: 'src/www/index.tpl.html',
inject: 'body',
filename: 'index.html'
}),
new CspHtmlWebpackPlugin({
'script-src': '',
'style-src': ''
}),
// I am using other plugins after these: mini-css-extract-plugin, webpack.IgnorePlugin, copy-webpack-plugin, dotenv-webpack, webpack.ProvidePlugin
]
That is: it creates a CSP using hashes for inline scripts, but there are no nonces for script-src or style-src. The nonce attribute is present in a number of <script> and <style> tags in the final HTML document.
Reproducible in:
slackhq/csp-html-webpack-plugin version: 5.1.0
node version: 14.19.3
OS version(s): Mac OS 12.4
Steps to reproduce:
Use the above config to build the app.
View the built index.html asset.
Expected result:
The CSP content to have the nonce values in it.
Actual result:
The nonce values are attached to the script and style tags but are not present in the CSP string itself.
Attachments:
Logs, screenshots, screencast, sample project, funny gif, etc.
The text was updated successfully, but these errors were encountered:
Description
nonce values are being added to the script and style tags in my HTML, but the nonces aren't in the CSP string itself. This appears similar to #93 but I'm on Mac OS and I'm using the latest node v14.
I am using an HTML template. A minimal webpack config with this exact template does not exhibit the issue, which makes me think something about my more complex webpack config is preventing the nonces from being added to the CSP.
Curiously, hashes for inline scripts do show up in the CSP string, so it is definitely being generated.
What type of issue is this? (place an
xin one of the[ ])Requirements (place an
xin each of the[ ])Bug Report
I am using this config to generate a CSP.
It results in a CSP like the following:
That is: it creates a CSP using hashes for inline scripts, but there are no nonces for
script-srcorstyle-src. Thenonceattribute is present in a number of<script>and<style>tags in the final HTML document.Reproducible in:
slackhq/csp-html-webpack-plugin version: 5.1.0
node version: 14.19.3
OS version(s): Mac OS 12.4
Steps to reproduce:
Expected result:
The CSP content to have the nonce values in it.
Actual result:
The nonce values are attached to the script and style tags but are not present in the CSP string itself.
Attachments:
Logs, screenshots, screencast, sample project, funny gif, etc.
The text was updated successfully, but these errors were encountered: