Need to add security attributes to the scripts tags returned by Webpack.header #29
Description
Hello,
We have an issue in our project where we need to add nonce attributes to our script tags to prevent XSS attacks. The problem is that the function Webpack.header doesn't allow attribute definition in the header scripts it returns.
In here we can see that the function doesn't have a mechanism to add these attributes :
@header_script if(Application.get_env(:reaxt,:hot), do: ~s(<script src="/webpack/client.js"></script>))
@header_global Poison.encode!(Application.get_env(:reaxt,:global_config))
def header, do:
"<script>window.global_reaxt_config=#{@header_global}</script>\n#{@header_script}"
end
I already coded a fix, in it i added an optional argument that will contain additional attributes to be included in the script tags. Plus, I renamed some elements to make it more coherent :
@hotload_script if(Application.get_env(:reaxt, :hot), do: "/webpack/client.js")
@header_global Poison.encode!(Application.get_env(:reaxt, :global_config))
def header(attributes) do
stringified_attributes =
Enum.reduce(attributes, "", fn {name, value}, acc ->
acc <> "#{name}=#{value} "
end)
main_header =
"<script #{stringified_attributes}>window.global_reaxt_config=#{@header_global}</script>"
if @hotload_script,
do:
main_header <>
~s(\n<script #{stringified_attributes} src="#{hotload_script}"></script>),
else: main_header
end
end