Conversation
| {% else %} | ||
| <!-- Global site tag (gtag.js) & Google Analytics Code for Site. --> | ||
| <script async src="https://www.googletagmanager.com/gtag/js?id={{ settings.GOOGLE_ANALYTICS_PROPERTY_ID }}"></script> | ||
| <script async nonce="CSP_NONCE" src="https://www.googletagmanager.com/gtag/js?id={{ settings.GOOGLE_ANALYTICS_PROPERTY_ID }}"></script> |
There was a problem hiding this comment.
This is a static string value. I think a nonce is suppose to be a random value per HTTP response.
-
Is this a test? If so, why merge instead of build image from branch?
-
Why do we now need a nonce? Is it because Google Analytics changed something, and we should "avoid using the CSP
unsafe-inlinedirective" as a solution?[…] If you don't need nonce, don't use it. […] Always try to take full advantage of CSP protections and avoid nonces or unsafe inline scripts whenever possible.
— MDN:nonce
Note
@chandra-tacc's attempt at this was #672. It probably made a dynamic value, but added nonce on more elements than seemed necessary.
There was a problem hiding this comment.
Google also says nonce should be server-generated, but it says the nonce can be supplied in server config's "Content-Security-Policy" instead. That may be easier and cover all scripts.
3 participants
Overview
Checking for delta between
mainand dev branch.Related
…Changes
Added nonce for analytics requests.
Testing
2A. Find the logging from ITS scans being run against the host to see if the flagged issue has been resolved in the security scans.
2B. Find a way to validate the nonce directly (some kind of bash check I suspect).
UI
None.