Plug which adds a random nonce to the content security policy. Sets this nonce in Plug.assigns under the csp_nonce key.

This plug must be run after the ContentSecurityPolicy.Setup plug, or it will raise an exception.

Example Usage

In a controller or router:

plug ContentSecurityPolicy.Plug.Setup
plug ContentSecurityPolicy.Plug.AddNonce, directives: [:script_src]

The nonce is then added to the script-src directive and will be sent in the "content-security-policy" response header. To access this nonce value when rendering a response, check conn.assigns[:csp_nonce].

conn.assigns[:csp_nonce]
"EDNnf03nceIOfn39fn3e9h3sdfa"

If using .eex templates to render a response, that might look something like:

<script nonce="<%= @conn.assigns[:csp_nonce] %>">
  ... #JavaScript I'd like to be allowed
</script>

When the response is sent to the browser, the "content-security-policy" response header will contain "script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'", which should cause the browser to whitelist this specific script.

Note that the nonce is randomly generated for every single request, which ensures that an attacker can't just guess your nonce and get their malicious script/resource run.