secure-headers icon indicating copy to clipboard operation
secure-headers copied to clipboard
verified publisher icon bepsvpt

Add possibility to clear nonces

Open arxeiss opened this issue 5 years ago • 2 comments

In Laravel app, I have this piece of code View::share('scpScriptNonceToken', SecureHeaders::nonce()); in AppServiceProvider. I used this to prevent generating a big amount of nonces for scripts.

But there is also another reason for this. On sites when is no JS, no nonce is generated. Which then means that someone is able to inject his own script without nonce and it will work. (This would happen really rarely). This will always generate a nonce.

But then, I need to remove nonces for some routes where libraries like FileManager lives. Currently, there is no way how to remove already generated nonces.

Hope this is understandable. If not, don't hesitate to ask

arxeiss avatar May 12 '20 09:05 arxeiss

Hi @arxeiss,

Sorry for late reply.

In my opinion, when there are some routes do not contain js, isn't it a better approach to exclude those routes from AppServiceProvider?

bepsvpt avatar May 21 '20 13:05 bepsvpt

Excluding would be awesome, but when boot method is called, request()->route() returns null. The boot method is called before the Router is initialized. So I would need to do some regex matching on the URI itself. That's why I wanted to add this function.

arxeiss avatar May 21 '20 14:05 arxeiss