Skip to content

Commit 2e40d74

Browse files
nataliecareynataliecarey
committed
Allow nonce attribute to be set on inline script
Not all services are able to follow the currently recommended approach of using hashes to allow specific inline scripts as part of their Content Security Policy. An alternative approach is to use a nonce which requires the attribute to be set on the script itself. Introduce a new Nunjucks variable `cspNonce` for the page template to allow users to do this.
1 parent 7416216 commit 2e40d74

File tree

2 files changed

+13
-1
lines changed

2 files changed

+13
-1
lines changed

src/govuk/template.njk

+1-1
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@
2828
<meta property="og:image" content="{{ assetUrl | default('/assets') }}/images/govuk-opengraph-image.png">
2929
</head>
3030
<body class="govuk-template__body {{ bodyClasses }}" {%- for attribute, value in bodyAttributes %} {{attribute}}="{{value}}"{% endfor %}>
31-
<script>document.body.className = ((document.body.className) ? document.body.className + ' js-enabled' : 'js-enabled');</script>
31+
<script{% if cspNonce %} nonce="{{ cspNonce }}"{% endif %}>document.body.className = ((document.body.className) ? document.body.className + ' js-enabled' : 'js-enabled');</script>
3232
{% block bodyStart %}{% endblock %}
3333

3434
{% block skipLink %}

src/govuk/template.test.js

+12
Original file line numberDiff line numberDiff line change
@@ -165,6 +165,18 @@ describe('Template', () => {
165165
// updating the hash published in https://frontend.design-system.service.gov.uk/importing-css-assets-and-javascript/#if-your-javascript-isn-t-working-properly
166166
expect('sha256-' + hash).toEqual('sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU=')
167167
})
168+
it('should not have a nonce attribute by default', () => {
169+
const $ = renderTemplate()
170+
const scriptTag = $('body > script').first()
171+
172+
expect(scriptTag.attr('nonce')).toEqual(undefined)
173+
})
174+
it('should have a nonce attribute when nonce is provided', () => {
175+
const $ = renderTemplate({ cspNonce: 'abcdef' })
176+
const scriptTag = $('body > script').first()
177+
178+
expect(scriptTag.attr('nonce')).toEqual('abcdef')
179+
})
168180
})
169181

170182
describe('skip link', () => {

0 commit comments

Comments
 (0)