Skip to content
This repository has been archived by the owner on Dec 1, 2021. It is now read-only.

Add placeholder for nonce to Google analytics script tag #12

Open
JoeChapman opened this issue Jan 10, 2017 · 1 comment
Open

Add placeholder for nonce to Google analytics script tag #12

JoeChapman opened this issue Jan 10, 2017 · 1 comment

Comments

@JoeChapman
Copy link
Contributor

So we can implement a Content Security Policy that does not allow unsafe-inline scripts to be loaded we should sign our script tags with a nonce.

A nonce can be generated in server middleware on each request using npm uuid, assigned to the locals object and the CSP script-src directive.

When the template is rendered the placeholder is substituted with the value of locals.nonce

If the value of the placeholder attribute (the nonce value we just set) and the value of the nonce on the server match then the request can proceed

Associated issues
UKHomeOfficeForms/hof#105
alphagov/govuk_template#258
@JoeChapman
Copy link
Contributor Author

PR for script tag placeholder: alphagov/govuk_template#268

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JoeChapman