[Security] Facility to supply a nonce used in inline scripts
-
Ben Cromwell shared this idea 1 day ago
- Core System
- Post the first comment
3
Votes
Login to Vote
We are looking to implement a hardened content security policy. This includes setting a nonce for script-src:
Content-Security-Policy: script-src 'self' 'nonce-123abc'
The issue is some of the inline scripts, for instance, Stripe, is generated by the closed source ioncube part of WHMCS and is not able to modified as part of a template file to inject the nonce onto the script tag.
Please note I cannot supply the full example for you to locate this so have stripped the script tags, because WHMCS blocks posts that contain script tags.
E.g.
type="text/javascript" src="https://js.stripe.com/v3/"
type="text/javascript" src="/client/modules/gateways/stripe/stripe.min.js?a=1734614774"
type="text/javascript"
var card = null,
stripe = null,
elements = null,
lang = null,
existingToken = null,
paymentRequestButtonEnabled = null,
paymentRequestAmountDue = null,
paymentRequestCurrency = null,
paymentRequestDescription = null,
paymentRequestButtonEnabled = null,
elementOptions = null,
amount = '1480',
elementsClass = 'form-group',
defaultErrorMessage = 'Remote Transaction Failure. Please Contact Support.';
The desired output would be for the final script:
type="text/javascript" nonce="abc123"
var card = null,
Of course, the nonce has to apply to every single inline script whether it has come from WHMCS or some other plugin's template, or our own customisations. Therefore it would need to be something that is set and made accessible via both smarty plugins and regular plain old PHP code.
We've done this through a plain old PHP object that contains a static variable for the nonce, set once and immutable for the request. But of course we cannot get at the points where WHMCS injects script tags itself.
Content-Security-Policy: script-src 'self' 'nonce-123abc'
The issue is some of the inline scripts, for instance, Stripe, is generated by the closed source ioncube part of WHMCS and is not able to modified as part of a template file to inject the nonce onto the script tag.
Please note I cannot supply the full example for you to locate this so have stripped the script tags, because WHMCS blocks posts that contain script tags.
E.g.
type="text/javascript" src="https://js.stripe.com/v3/"
type="text/javascript" src="/client/modules/gateways/stripe/stripe.min.js?a=1734614774"
type="text/javascript"
var card = null,
stripe = null,
elements = null,
lang = null,
existingToken = null,
paymentRequestButtonEnabled = null,
paymentRequestAmountDue = null,
paymentRequestCurrency = null,
paymentRequestDescription = null,
paymentRequestButtonEnabled = null,
elementOptions = null,
amount = '1480',
elementsClass = 'form-group',
defaultErrorMessage = 'Remote Transaction Failure. Please Contact Support.';
The desired output would be for the final script:
type="text/javascript" nonce="abc123"
var card = null,
Of course, the nonce has to apply to every single inline script whether it has come from WHMCS or some other plugin's template, or our own customisations. Therefore it would need to be something that is set and made accessible via both smarty plugins and regular plain old PHP code.
We've done this through a plain old PHP object that contains a static variable for the nonce, set once and immutable for the request. But of course we cannot get at the points where WHMCS injects script tags itself.
Post the first comment
Login to post a comment.