com.google.template.soy.passes

Class ContentSecurityPolicyNonceInjectionPass

java.lang.Object

com.google.template.soy.passes.CompilerFilePass

com.google.template.soy.passes.ContentSecurityPolicyNonceInjectionPass

public final class ContentSecurityPolicyNonceInjectionPass
extends CompilerFilePass

A compiler pass that adds CSP nonce injections to <script> and <style> tags.

This makes it easy for applications using soy to set unsafe-inline Content security policy setting.

For example, given this soy template.

 <script>var x = 'foo'</script>

 

We 'know' that this script is safe because it was written by the author (rather than an attacker), so Soy will rewrite it to look like:

 <script{if $ij.csp_nonce} nonce="{$ij.csp_nonce}{/if}>var x = 'foo'</script>

 

Then if the user configures a csp_nonce in their CSP settings and as an input to rendering, all author controlled scripts and styles will be authorized.

This pass should:

• Run before ResolveNamesPass, since it adds new varref nodes
• Run before the autoescaper, since it inserts print directives
• Run after HtmlRewritePass, since it depends on the html nodes.

Field Summary

Fields

Modifier and Type	Field and Description
static String	CSP_NONCE_VARIABLE_NAME

Method Summary

Modifier and Type	Method and Description
void	run(SoyFileNode file, IdGenerator nodeIdGen)

Methods inherited from class com.google.template.soy.passes.CompilerFilePass

name, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

CSP_NONCE_VARIABLE_NAME

public static final String CSP_NONCE_VARIABLE_NAME

See Also:

Constant Field Values

Method Detail

run

public void run(SoyFileNode file,
                IdGenerator nodeIdGen)

Specified by:

run in class CompilerFilePass