Add nonce

[cilyaa]

Hey there!

I've just acquired a Nova license and I am in the process of playing around on a new laravel project (laravel 12, nova 5), getting to know Nova and the VILT stack. My goal is to evaluate whether it may be used for projects at work and as such I'm trying to make it comply with our security guidelines.
At the moment, I'm attempting to apply a strict CSP policy (which is a requirement), and I'm almost there. The only thing missing so far is a way to add a nonce to built-in vue components that have inline styles.

I can send the nonce to the frontend through Nova::provideToScript(), however I cannot easily forward it to the needed components.
I see that none of them have a nonce attribute and attribute inheritance being explicitly disabled in some case, I guess I would need either to override the vue components one way or another, or request for that to be implemented.

Has anyone here already tackled this? Any tips?

[arjankapteijn]

Hi Cilyaa,

Could you help me with documentation regarding the usage of Nova::provideToScript. I would really like to use a strict CSP.

[cilyaa]

Hi Arjan,

First thing first, please note that I did not achieve to have a completely strict CSP so far.
The current outstanding issue is being unable to add nonce to inline style attribute in the vue components that use it. So, for the time being I have to have the style-src set to unsafe-inline.

Here's the link to the doc about Nova::provideToScript(). By passing a nonce generated by the backend, it becomes available in js through Nova.config('nonce'). However, it's not a silver bullet as you would have to modify the vuejs components to make use of it (afaik).

You will need to override the main nova blade layout by publishing it in your app to add the nonce where needed (ie. resources/views/vendor/nova/layout.blade.php).

Hope that helps.