Not all scripts and styles have CSP nonces defined
Closed this issue · 0 comments
peterhartman commented
Describe the bug
Not all scripts are using the CSP nonce
To Reproduce
In the browser pipeline set (as per Readme)
plug :put_secure_browser_headers, %{"content-security-policy" => "default-src 'nonce-ash_admin-Ed55GFnX' 'self'"}Current behavior
Failure to load jsoneditor and easymde resources
Expected behavior
No console warnings or network failures
Additional context
Ideally ash_admin would allow you to supply your own nonces in the same way as Phoenix.LiveDashboard, eg:
ash_admin "/admin", csp_nonce_assign_key: :csp_nonce_value