Use CSP nonce instead of unsafe-inline

[mirvnillith]

(I looked into contributing this myself but given how this would require interconnecting changes in, at least, phoss-smp and ph-oton I did not want to risk it)

There should be some kind of context to allow phoss-smp to use CSP nonce for inline scripts instead of the discouraged unsafe-inline used today. They way we're currently deploying phoss-smp access is through a proxy to target a specific Kubernetes pod in an otherwise fully clustered environment and that adds a second CSP header that gets used instead (being more restrictive than unsafe-inline). Hopefully nonce would rectify this, although the CSP "most restrictive" resolution process is not strictly defined).
I see that CSP2SourceList (ph-web) supports nonce, but what seems to be missing is a way to convey the per-request value from SMPApplicationXServletHandler (phoss-smp), where it would be added to the CSP, to AbstractHCScriptInline? (ph-oton) to be rendered into script-tags.

[phax]

Thanks for the proposal - makes sense. I will try to get the script nonceattributes in

Edit: note to myself: https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce

[mirvnillith]

Understanding that you're the main developer behind all affected parts and the consequences on ownership and availability I'd like to try to help with this implementation with your guidance (as our need is probably greater than your time/priority). I've read your style guide but for this feature I think we'd need a design guide for where/how to integrate the parts.
Naively my approach would be a ThreadLocal somewhere in ph-oton that hold the nonce of the ongoing request. The (optional) nonce would be set by phoss-smp, when added to the CSP header, and then applied, if set, by ph-oton. But perhaps there's already a per-request context available (could the response object itself be used?) that I have yet to find?

[phax]

Hi @mirvnillith indeed, I am the main developer on all affected components.
Thanks for your initiative. I already have something in my mind how to resolve this. Unfortunately a ThreadLocal is not sufficient, because it is possible, that when a component is loaded by an XHR call, it may include another inline script. (The "per request" stuff is also present e.g. as RequestWebScope and via AbstractRequestWebSingleton) So I would favour a solution that uses a nonce on session level instead. Also I want to make this feature only to be available on demand (of course by default in the SMP).

[mirvnillith]

I don't really like pushing like this, but we're dependent on this fix for when "our" SMP is put into production. For development/testing we can circumvent the UI by editing the database, but production has the proxy.
What kind of timeline would there be on this change so that we can adjust our plan/approach?

[phax]

I am working on it - expect something by the end of this week

[phax]

It is part of the SMP 7.2.1 release