Nonce is empty unless dump using twig

Question

Nonce is empty unless dump using twig

vdeville opened this issue 5 months ago · comments

Hello,

Today i tested to add inline-nonce to all scripts. In Production mode no problem, but in dev mode if i not do {% dump(csp_nonce('script')) %} all the script have empty nonce

Do you have any idea about this problem ?

Thanks

Valentin Deville · Answer 1 · Fri Mar 08 2024 23:12:43 GMT+0800 (China Standard Time)

Example in html:

Incode:

<script type="text/javascript" nonce="{{ csp_nonce('script') }}" nonceTest="{{ csp_nonce('script') }}">

Valentin Deville · Answer 2 · Fri Mar 08 2024 23:14:08 GMT+0800 (China Standard Time)

Do dump before this script in twig:

        {{ dump(csp_nonce('script')) }}
        <script type="text/javascript" nonce="{{ csp_nonce('script') }}" nonceTest="{{ csp_nonce('script') }}">

Result:

Jordi Boggiano · Answer 3 · Mon Mar 11 2024 22:51:23 GMT+0800 (China Standard Time)

This is normal https://stackoverflow.com/a/55673767/6512

You can check the view-source of the page to verify nonces, do not use the web inspector.

Valentin Deville · Answer 4 · Tue Mar 12 2024 23:49:29 GMT+0800 (China Standard Time)

Thanks for your reply, i don't really understand why in dev or prod env some scripts was not loaded or loaded, for example in dev mode googlemap put eval error in javascript, not in production (same config, same loaded url etc)
Thanks