💉Nonce Injection

Corgi can automatically inject nonce attributes into script elements to be used with a Content Security Policy.

To enable nonce injection, simply place a compiler directive above the func header, with a Go expression retrieving the nonce:

import "context"

//corgi:nonce ctx.Value("nonce")
func Foo(ctx context.Context)

script
  > let foo = "bar"

nonce := make([]byte, 16)
if _, err := rand.Read(nonce); err != nil {
    panic(err)
}

nonceB64 := base64.StdEncoding.ToString(nonce)

ctx := context.WithValue(context.Background(), "nonce", nonceB64)
Foo(ctx)

<script nonce="8IBTHwOdqNKAWeKl7plt8g==">
  let foo = "bar"
</script>

PreviousSecurity and Escaping NextBlock Expansions

Last updated 2 years ago