💉Nonce Injection

Corgi can automatically inject nonce attributes into script elements to be used with a Content Security Policy.

To enable nonce injection, simply place a compiler directive above the func header, with a Go expression retrieving the nonce:

import "context"

//corgi:nonce ctx.Value("nonce")
func Foo(ctx context.Context)

script
  > let foo = "bar"
nonce := make([]byte, 16)
if _, err := rand.Read(nonce); err != nil {
    panic(err)
}

nonceB64 := base64.StdEncoding.ToString(nonce)

ctx := context.WithValue(context.Background(), "nonce", nonceB64)
Foo(ctx)
<script nonce="8IBTHwOdqNKAWeKl7plt8g==">
  let foo = "bar"
</script>
PreviousSecurity and EscapingNextBlock Expansions

Last updated