Fusion will not add built in functionality for Nonce as we cannot meet the requirements needed to provide a significant added-security on requests due to cache and do not want to provide a false sense of security to client developers or readers. If you would like to implement a nonce attribute in your outputType you should be able to do this currently and can use the <meta http-equiv="Content-Security-Policy" tag and by modifying the scripts you place on the page to include the nonce attribute.
Hello Admin. The cache doesn't matter because the only thing that matter is that the hacker can't inject a script with a known nonce e.g. through cross-site scripting, SQL injection, etc. Any such attemp would by necessity generate a new cached version with a new nonce. The hacker could only inject a script to the cached version on CDN, which isn't impossible, but much more limiting. In other words, what we want doesn't cover 100% of cases with server-side rednering, but covers most that we care about.
I'm not sure I understand how a nonce attribute would work with the fusion rendering and cache strategy. Currently responses generated by fusion are cached for several minutes or hours and served to many readers. This seems incompatible with the nonce model to me as no request would ever be able to generate a unique value for a single http request.
Guest
Hi Grzegorz,
Fusion will not add built in functionality for Nonce as we cannot meet the requirements needed to provide a significant added-security on requests due to cache and do not want to provide a false sense of security to client developers or readers. If you would like to implement a nonce attribute in your outputType you should be able to do this currently and can use the
<meta http-equiv="Content-Security-Policy"tag and by modifying the scripts you place on the page to include the nonce attribute.Hello Admin. The cache doesn't matter because the only thing that matter is that the hacker can't inject a script with a known nonce e.g. through cross-site scripting, SQL injection, etc. Any such attemp would by necessity generate a new cached version with a new nonce. The hacker could only inject a script to the cached version on CDN, which isn't impossible, but much more limiting. In other words, what we want doesn't cover 100% of cases with server-side rednering, but covers most that we care about.
I'm not sure I understand how a nonce attribute would work with the fusion rendering and cache strategy. Currently responses generated by fusion are cached for several minutes or hours and served to many readers. This seems incompatible with the nonce model to me as no request would ever be able to generate a unique value for a single http request.