Merge pull request #12106 from nextcloud/chore/changes-csp

chore(developer): Add upgrade hint about CSP nonce
nextcloud · Aug 15, 2024 · 1192f1e · 1192f1e
2 parents f336e17 + 7dffe2b
commit 1192f1e
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/developer_manual/app_publishing_maintenance/app_upgrade_guide/upgrade_to_30.rst b/developer_manual/app_publishing_maintenance/app_upgrade_guide/upgrade_to_30.rst
@@ -77,6 +77,30 @@ The border radius CSS variables have been refactored:
   - ``--border-radius-pill`` is deprecated now in favor of ``--border-radius-element``.
   - ``--border-radius-rounded`` is deprecated now in favor of ``--border-radius-container``.
 
+CSP Nonce
+^^^^^^^^^
+
+A bug was fixed that prevented Nextcloud form using the ``CSP_NONCE`` environment variable,
+this now means that the CSP nonce for JavaScript assets is no longer (guaranteed to be) based on the CSRF token.
+Instead administrators can choose to use a differently generated token.
+When using JavaScript modules this does not make a difference, as they are imported and the nonce has only to be set on the root module (done by Nextcloud),
+but if you are using Webpack or otherwise dynamically load scripts, you now need adjust the CSP nonce handling.
+
+Get the CSP nonce:
+
+- Either use ``getCSPNonce`` from the ``@nextcloud/auth`` :ref:`package<js-library_nextcloud-auth>`, which is also backwards compatible.
+- Or directly read the nonce from the ``<meta name="csp-nonce" />`` tag.
+
+When using Webpack:
+
+.. code-block:: diff
+
+    - import { getRequestToken } from '@nextcloud/auth'
+    - __webpack_nonce__ = btoa(getRequestToken())
+    + import { getCSPNonce } from '@nextcloud/auth'
+    + __webpack_nonce__ = getCSPNonce()
+
+
 Added APIs
 ^^^^^^^^^^
 

diff --git a/developer_manual/digging_deeper/javascript-apis.rst b/developer_manual/digging_deeper/javascript-apis.rst
@@ -35,13 +35,16 @@ Development
 Most packages are written in TypeScript in order to generate better API docs automatically but also to ensure compatibility with Nextcloud server in a programmatic way. The server is typed in `a dedicated npm package <https://www.npmjs.com/package/@nextcloud/typings>`_ that is used to check type soundness.
 
 
+
 Packages in detail
 ^^^^^^^^^^^^^^^^^^
 
 
 The rest of this section will cover a rough overview of which packages are provided and what they are used for.
 
 
+.. _js-library_nextcloud-auth:
+
 ``@nextcloud/auth``
 ^^^^^^^^^^^^^^^^^^^