feat: add preset CSP nonce (ory#2096)

Closes ory/kratos-selfservice-ui-node#162

internal/httpclient/api/openapi.yaml

@@ -4606,6 +4606,14 @@ components:
           type: string
         node_type:
           type: string
+        nonce:
+          description: |-
+            Nonce for CSP
+
+            A nonce you may want to use to improve your Content Security Policy.
+            You do not have to use this value but if you want to improve your CSP
+            policies you may use it. You can also choose to use your own nonce value!
+          type: string
         referrerpolicy:
           description: The script referrer policy
           type: string
@@ -4621,6 +4629,7 @@ components:
       - id
       - integrity
       - node_type
+      - nonce
       - referrerpolicy
       - src
       - type

internal/httpclient/docs/UiNodeAttributes.md

@@ -23,13 +23,14 @@ Name | Type | Description | Notes
 **Async** | **bool** | The script async type | 
 **Crossorigin** | **string** | The script cross origin policy | 
 **Integrity** | **string** | The script's integrity hash | 
+**Nonce** | **string** | Nonce for CSP  A nonce you may want to use to improve your Content Security Policy. You do not have to use this value but if you want to improve your CSP policies you may use it. You can also choose to use your own nonce value! | 
 **Referrerpolicy** | **string** | The script referrer policy | 
 
 ## Methods
 
 ### NewUiNodeAttributes
 
-`func NewUiNodeAttributes(disabled bool, name string, nodeType string, type_ string, id string, text UiText, src string, href string, title UiText, async bool, crossorigin string, integrity string, referrerpolicy string, ) *UiNodeAttributes`
+`func NewUiNodeAttributes(disabled bool, name string, nodeType string, type_ string, id string, text UiText, src string, href string, title UiText, async bool, crossorigin string, integrity string, nonce string, referrerpolicy string, ) *UiNodeAttributes`
 
 NewUiNodeAttributes instantiates a new UiNodeAttributes object
 This constructor will assign default values to properties that have it defined,
@@ -469,6 +470,26 @@ and a boolean to check if the value has been set.
 SetIntegrity sets Integrity field to given value.
 
 
+### GetNonce
+
+`func (o *UiNodeAttributes) GetNonce() string`
+
+GetNonce returns the Nonce field if non-nil, zero value otherwise.
+
+### GetNonceOk
+
+`func (o *UiNodeAttributes) GetNonceOk() (*string, bool)`
+
+GetNonceOk returns a tuple with the Nonce field if it's non-nil, zero value otherwise
+and a boolean to check if the value has been set.
+
+### SetNonce
+
+`func (o *UiNodeAttributes) SetNonce(v string)`
+
+SetNonce sets Nonce field to given value.
+
+
 ### GetReferrerpolicy
 
 `func (o *UiNodeAttributes) GetReferrerpolicy() string`

internal/httpclient/docs/UiNodeScriptAttributes.md

@@ -9,6 +9,7 @@ Name | Type | Description | Notes
 **Id** | **string** | A unique identifier | 
 **Integrity** | **string** | The script's integrity hash | 
 **NodeType** | **string** |  | 
+**Nonce** | **string** | Nonce for CSP  A nonce you may want to use to improve your Content Security Policy. You do not have to use this value but if you want to improve your CSP policies you may use it. You can also choose to use your own nonce value! | 
 **Referrerpolicy** | **string** | The script referrer policy | 
 **Src** | **string** | The script source | 
 **Type** | **string** | The script MIME type | 
@@ -17,7 +18,7 @@ Name | Type | Description | Notes
 
 ### NewUiNodeScriptAttributes
 
-`func NewUiNodeScriptAttributes(async bool, crossorigin string, id string, integrity string, nodeType string, referrerpolicy string, src string, type_ string, ) *UiNodeScriptAttributes`
+`func NewUiNodeScriptAttributes(async bool, crossorigin string, id string, integrity string, nodeType string, nonce string, referrerpolicy string, src string, type_ string, ) *UiNodeScriptAttributes`
 
 NewUiNodeScriptAttributes instantiates a new UiNodeScriptAttributes object
 This constructor will assign default values to properties that have it defined,
@@ -132,6 +133,26 @@ and a boolean to check if the value has been set.
 SetNodeType sets NodeType field to given value.
 
 
+### GetNonce
+
+`func (o *UiNodeScriptAttributes) GetNonce() string`
+
+GetNonce returns the Nonce field if non-nil, zero value otherwise.
+
+### GetNonceOk
+
+`func (o *UiNodeScriptAttributes) GetNonceOk() (*string, bool)`
+
+GetNonceOk returns a tuple with the Nonce field if it's non-nil, zero value otherwise
+and a boolean to check if the value has been set.
+
+### SetNonce
+
+`func (o *UiNodeScriptAttributes) SetNonce(v string)`
+
+SetNonce sets Nonce field to given value.
+
+
 ### GetReferrerpolicy
 
 `func (o *UiNodeScriptAttributes) GetReferrerpolicy() string`

selfservice/strategy/webauthn/login_test.go

@@ -67,6 +67,7 @@ func TestCompleteLogin(t *testing.T) {
 			"1.attributes.onclick",
 			"1.attributes.onload",
 			"3.attributes.src",
+			"3.attributes.nonce",
 		})
 		ensureReplacement(t, "1", f.Ui, "allowCredentials")
 	})

selfservice/strategy/webauthn/settings_test.go

@@ -133,6 +133,7 @@ func TestCompleteSettings(t *testing.T) {
 			"0.attributes.value",
 			"4.attributes.onclick",
 			"6.attributes.src",
+			"6.attributes.nonce",
 		})
 		ensureReplacement(t, "4", f.Ui, "Ory Corp")
 	})
@@ -149,6 +150,7 @@ func TestCompleteSettings(t *testing.T) {
 			"2.attributes.onload",
 			"2.attributes.onclick",
 			"4.attributes.src",
+			"4.attributes.nonce",
 		})
 		ensureReplacement(t, "2", f.Ui, "Ory Corp")
 	})

spec/api.json

@@ -1763,6 +1763,10 @@
           "node_type": {
             "$ref": "#/components/schemas/uiNodeType"
           },
+          "nonce": {
+            "description": "Nonce for CSP\n\nA nonce you may want to use to improve your Content Security Policy.\nYou do not have to use this value but if you want to improve your CSP\npolicies you may use it. You can also choose to use your own nonce value!",
+            "type": "string"
+          },
           "referrerpolicy": {
             "description": "The script referrer policy",
             "type": "string"
@@ -1784,6 +1788,7 @@
           "integrity",
           "type",
           "id",
+          "nonce",
           "node_type"
         ],
         "title": "ScriptAttributes represent script nodes which load javascript.",

spec/swagger.json

@@ -3600,6 +3600,7 @@
         "integrity",
         "type",
         "id",
+        "nonce",
         "node_type"
       ],
       "properties": {
@@ -3622,6 +3623,10 @@
         "node_type": {
           "$ref": "#/definitions/uiNodeType"
         },
+        "nonce": {
+          "description": "Nonce for CSP\n\nA nonce you may want to use to improve your Content Security Policy.\nYou do not have to use this value but if you want to improve your CSP\npolicies you may use it. You can also choose to use your own nonce value!",
+          "type": "string"
+        },
         "referrerpolicy": {
           "description": "The script referrer policy",
           "type": "string"

ui/node/attributes.go

@@ -197,6 +197,15 @@ type ScriptAttributes struct {
 	// required: true
 	Identifier string `json:"id"`
 
+	// Nonce for CSP
+	//
+	// A nonce you may want to use to improve your Content Security Policy.
+	// You do not have to use this value but if you want to improve your CSP
+	// policies you may use it. You can also choose to use your own nonce value!
+	//
+	// required: true
+	Nonce string `json:"nonce"`
+
 	// NodeType represents this node's types. It is a mirror of `node.type` and
 	// is primarily used to allow compatibility with OpenAPI 3.0.
 	//

ui/node/attributes_input.go

@@ -137,6 +137,7 @@ func NewScriptField(name string, src string, group Group, integrity string, opts
 			ReferrerPolicy: "no-referrer",
 			CrossOrigin:    "anonymous",
 			Integrity:      integrity,
+			Nonce:          x.NewUUID().String(),
 		}),
 		Meta: &Meta{},
 	}