I've been reading the CSP documentation regarding using inline scripts with nonce (Number used only once), but I still don't get it fully.
HTTP layer:
Content-Security-Policy: script-src 'nonce-2726c7f26c'
Javascript inlined in HTML
<script nonce="2726c7f26c">
var inline = 1;
</script>
<script nonce="2726c7f26c">
var inline2 = 2;
</script>
require('crypto')
?My solution was correct
We create one nonce
per HTTP request, we should not create one per script. So, my initial solution was correct. The CSP rules go into the HTTP layer, and thus one nonce per HTTP request.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With