From 7dffe2bd5345d3aecf7cc43e3b989b07e965df95 Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Tue, 13 Aug 2024 18:51:55 +0200 Subject: [PATCH] chore(developer): Add upgrade hint about CSP nonce Signed-off-by: Ferdinand Thiessen --- .../app_upgrade_guide/upgrade_to_30.rst | 24 +++++++++++++++++++ .../digging_deeper/javascript-apis.rst | 3 +++ 2 files changed, 27 insertions(+) diff --git a/developer_manual/app_publishing_maintenance/app_upgrade_guide/upgrade_to_30.rst b/developer_manual/app_publishing_maintenance/app_upgrade_guide/upgrade_to_30.rst index 141f0e25a4b..2482184925b 100644 --- a/developer_manual/app_publishing_maintenance/app_upgrade_guide/upgrade_to_30.rst +++ b/developer_manual/app_publishing_maintenance/app_upgrade_guide/upgrade_to_30.rst @@ -77,6 +77,30 @@ The border radius CSS variables have been refactored: - ``--border-radius-pill`` is deprecated now in favor of ``--border-radius-element``. - ``--border-radius-rounded`` is deprecated now in favor of ``--border-radius-container``. +CSP Nonce +^^^^^^^^^ + +A bug was fixed that prevented Nextcloud form using the ``CSP_NONCE`` environment variable, +this now means that the CSP nonce for JavaScript assets is no longer (guaranteed to be) based on the CSRF token. +Instead administrators can choose to use a differently generated token. +When using JavaScript modules this does not make a difference, as they are imported and the nonce has only to be set on the root module (done by Nextcloud), +but if you are using Webpack or otherwise dynamically load scripts, you now need adjust the CSP nonce handling. + +Get the CSP nonce: + +- Either use ``getCSPNonce`` from the ``@nextcloud/auth`` :ref:`package`, which is also backwards compatible. +- Or directly read the nonce from the ```` tag. + +When using Webpack: + +.. code-block:: diff + + - import { getRequestToken } from '@nextcloud/auth' + - __webpack_nonce__ = btoa(getRequestToken()) + + import { getCSPNonce } from '@nextcloud/auth' + + __webpack_nonce__ = getCSPNonce() + + Added APIs ^^^^^^^^^^ diff --git a/developer_manual/digging_deeper/javascript-apis.rst b/developer_manual/digging_deeper/javascript-apis.rst index f0d7ecd8e42..2cfd322372b 100644 --- a/developer_manual/digging_deeper/javascript-apis.rst +++ b/developer_manual/digging_deeper/javascript-apis.rst @@ -35,6 +35,7 @@ Development Most packages are written in TypeScript in order to generate better API docs automatically but also to ensure compatibility with Nextcloud server in a programmatic way. The server is typed in `a dedicated npm package `_ that is used to check type soundness. + Packages in detail ^^^^^^^^^^^^^^^^^^ @@ -42,6 +43,8 @@ Packages in detail The rest of this section will cover a rough overview of which packages are provided and what they are used for. +.. _js-library_nextcloud-auth: + ``@nextcloud/auth`` ^^^^^^^^^^^^^^^^^^^