-
-
Notifications
You must be signed in to change notification settings - Fork 309
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow nonce in reCaptcha #312
base: main
Are you sure you want to change the base?
Conversation
Codecov Report
@@ Coverage Diff @@
## master #312 +/- ##
==========================================
+ Coverage 99.66% 99.66% +<.01%
==========================================
Files 18 18
Lines 894 908 +14
Branches 74 75 +1
==========================================
+ Hits 891 905 +14
Misses 3 3
Continue to review full report at Codecov.
|
@kesara You need to add documentation for nonce. |
Hi @kesara, I was looking at this patch to integrate it in a small project of mine that uses nonce-based CSP. I was wondering, why is the I'm using custom code to generate the nonce, but from what I see also popular extensions such as flask-talisman generate the nonce as a parameter of Perhaps I'm missing something... how do you generate the CSP |
Hi @pogliamarci, I totally forgot that this PR is hanging. :( Your plan to use flask-tailsman makes more sense, but that also means flask-wtf will have to add flask-talisman as a dependency? |
Hi @kesara, what do you mean by “allowing everything required for recaptcha in CSP rules”?
I was using your patch, but, when I instantiate a ReCaptchaField, I’m outside the request context, but the nonce is generated once per request (thus in the request context). So I would need to pass callable instead of a string to ReCaptchaField.
I used flask-talisman as an example, although in my project I’m not using this extension (I have some custom code that generates the nonce in @app.before_request and puts it into request.csp_nonce). But I think that passing a function to ReCaptchaField that then grabs the CSP nonce from the right attribute of the request context should be general enough.
(that said, I’m not a maintainer of this project, I just stumbled upon your PR that was useful for a project of mine)
… On 4 Apr 2019, at 22:44, Kesara Rathnayake ***@***.***> wrote:
Hi @pogliamarci <https://github.com/pogliamarci>, I totally forgot that this PR is hanging. :(
In my use case we end up, allowing everything required for reCaptcha in CSP rules.
IIRC initial idea was to generate the nonce for every request (anyway you like) and pass it to the headers
Your plan to use flask-tailsman makes more sense, but that also means flask-wtf will have to add flask-talisman as a dependency?
May be introduce a new configuration option and use flask-tailsman if that present?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#312 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABaM_KDVfrvOsUeQGtcq2QspYGn-IgQJks5vdmQ5gaJpZM4QELXQ>.
|
Issue: #311
This adds a
nonce
attribute to script tag, which can be set viaIn order to use this, Flask app has to provide the nonce value via header.
Example: