This repository was archived by the owner on Jan 22, 2020. It is now read-only.
This repository was archived by the owner on Jan 22, 2020. It is now read-only.
Eliminate need for unsafe-inline #193
Description
As shown here: https://github.com/paypal/react-engine/blob/v2.x/lib/server.js#L30 script tags are being used to generate inline code through this module. This forces developers to use an unsafe-inline CSP policy which introduces numerous security concerns.
The way lusca and other security modules get around this is by generating a nonce in the res.locals field of a response, which should then be applied to a script tag as:
<script nonce={res.locals.nonce}>
We should add an option to put a nonce called from res.locals into the template defined above to eliminate this issue.