The nonce was there the entire time, chrome was hiding it. Comments // This comment will appear in the HTML //- This is a silent comment //- Nesting inside a comment creates a comment block See: Comments. The nonce was there the entire time, chrome was hiding it. I'm a bit new to web development so any tips in ASP.Net Core 2 would be greatly appreciated, if anything stands out to you. This seems really simple and I'm really confused on why the attributes are not populating. The Nonce is generated, it exists in HttpContext.Items, does not populate. "script-src 'self' 'unsafe-eval' 'nonce-' " +
String nonce = Convert.ToBase64String(nonceBytes) Ĭ("Content-Security-Policy", string.Format( So it doesn't seem to be an issue with pug, but something is stripping the nonce away on page load or something. Also I ran npm test on pug after adding my own test for nonce, and it passed. But when I inspect the elements, it is just 'nonce'. Any non-string value specified is converted automatically into a string.
A string containing the value to assign to the attribute. The attribute name is automatically converted to all lower-case when setAttribute () is called on an HTML element in an HTML document. RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider() On my page (localhost) I inspect the source of the page and it shows the nonce. A string specifying the name of the attribute whose value is to be set. I'm aware of different methods to read the PHP variable in html or javascript and methods to pass it into the script tags, like these: Adding nonce to. Startup.Configure(IApplicationBuilder app, IHostingEnvironment env). I need to add the nonce variable to the script tags here, too because I cannot use the 'unsafe-inline' value for script-src in the CSP (because it contradicts the whole point of using CSP). If you were to do output the escaped variable ( var user. It's also necessary to output the raw contents of the variable, instead of the evaluated form of it. all the information about a user), you must stringify the output in Pug for it to be treated as a JavaScript object. I decided to use the Items collection inside the HttpContext to store the nonce because, from what I can tell, it is per request. If you need to interpolate the value of a JavaScript object (e.g. My problem seems fairly simple, and I feel like I'm missing something extremely obvious but I'm unable to determine why the Nonce attribute on the script elements aren't populating and remaining empty strings instead.
0 kommentar(er)
