<style>
block dynamically on any window resize. The <style>
gets appended to the <HEAD>
.style-src
-nonces are activated in HTTP Header plugin.nonce="..."
attribute to the <style>
by JS.public function onAfterDispatch()
{
// csp_nonce parameter set by HTTP Header plugin in `__construct()`.
Factory::getDocument()->addScriptOptions('csp_nonce', $this->app->get('csp_nonce', ''));
}
const nonce = Joomla.getOptions('csp_nonce', '');
let css = document.createElement('style');
if (nonce)
{
css.setAttribute("nonce", nonce);
}
which works fine for me.
addScriptOptions()
part in the HTTP Header plugin?Thank you for your attention!
Labels |
Added:
No Code Attached Yet
|
Title |
|
I'm not sure whether its a good idea to make the nonce aviable to JS as its the point that the hashes and nonces are generated outside of JS etc.
I don't know. My thought was that the whole source code displays the nonce attributes at several places. So, they could be picked out without any problems by malicious JS, too.
What about passing the new script via the addscript/addstyle that will generate the hash and nonce?
It's a dynamic JS calculation of the height of a container after any window.resize to adapt a scroll target point via CSS. addscript/addstyle are PHP methods. Even if I would find a way to write files dynamically it would mean that I write a file for any guest (different window sizes) and/or I would have to use overheaded AJAX methods.
I don't know. My thought was that the whole source code displays the nonce attributes at several places. So, they could be picked out without any problems by malicious JS, too.
Its even hidden in the source code editor / browser console.
It's a dynamic JS calculation of the height of a container after any window.resize to adapt a scroll target point via CSS. addscript/addstyle are PHP methods. Even if I would find a way to write files dynamically it would mean that I write a file for any guest (different window sizes) and/or I would have to use overheaded AJAX methods.
yes there is also an inline JS/CSS methods that dont require written files.
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-06-19 14:18:18 |
Closed_By | ⇒ | ReLater |
yes there is also an inline JS/CSS methods that dont require written files.
Ja, aber auch PHP. Das löst das Problem nicht.
Hmm I'm not sure whether its a good idea to make the nonce aviable to JS as its the point that the hashes and nonces are generated outside of JS etc.
What about passing the new script via the addscript/addstyle that will generate the hash and nonce?