bepsvpt/secure-headers

Add Nonce on Javascript Navigation

PanjiNamjaElf opened this issue · 5 comments

Hello..
How to add nonce on javascript navigation without enable 'unsafe-inline' in 'script-src' ?

Ex:

I want add nonce on 'javascript:void(0);' or similar script like that
Thanks!

Hi @PanjiNamjaElf,

Is doc example what you need?

Or you want something like <a href="javascript:void(0)">link</a>?

Yes...
I want like this

     <a href="javascript:void(0);" class="waves-effect">
      <i class="ti-money"></i>
      <span>@lang('menu')<span class="menu-arrow"></span>
     </a>

I try put nonce like this <a href="javascript:void(0);" class="waves-effect" nonce="ABC==">
But not work...
When i enable unsafe-inline and has some nonce in my inline script unsafe-inline will be ignored

Is it using <span>...</span> instead of <a>...</a> possible?

Is not work..
But i have resolved it...

I enable unsafe-hashes and hashed javascript:void(0) to sha384 and put it on hashes config sha384

Thank you!!

Thanks for this information. I will add to example!