Hacker News new | ask | show | jobs
by allan_s 436 days ago
note that for inline style/script, as long as you're not using `style=''` or `onclick=''` , you can use `nonce=` to have a hash and to my understanding, newly added inline script will not be tolerated, allowing to have the best of both world
1 comments
LegionMammal978 436 days ago
It does seem like CSP nonces do not play well with caching (since they must have a different value on each page load), which would make them a detriment to performance.
link
SahAssar 436 days ago
You can also include a hash of the contents in the CSP, which plays well with caching.
link
LegionMammal978 436 days ago
True, a hash works as a good alternative. (Unless you're doing super weird stuff like generating inline scripts at runtime.)
link