Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an API to Nosecone to get the nonce #3133

Open
davidmytton opened this issue Feb 8, 2025 · 3 comments
Open

Add an API to Nosecone to get the nonce #3133

davidmytton opened this issue Feb 8, 2025 · 3 comments

Comments

@davidmytton
Copy link
Contributor

This would help when developers need to provide the nonce to scripts which do not use something like the Next.js Script component.

For example, PostHog requires you to pass the nonce into the init code.
@blaine-arcjet
Copy link
Contributor

The Next.js <Script> component auto-injects the nonce.

We can still add something for PostHog.

@blaine-arcjet
Copy link
Contributor

blaine-arcjet commented Mar 17, 2025
edited
Loading

I dug into this a bit and found that while Next.js provides a context into middleware, it doesn't propagate past the middleware execution, so I don't see a way to provide this. See also: vercel/next.js#67305

There's a Next.js guide where they put it in the request header but that seems like a footgun because then it could be spoofed by attackers if they can figure out when middleware isn't executed.

@blaine-arcjet
Copy link
Contributor

I still need to understand the instrument.js file because that's supposedly usable for propagating a context but it didn't seem to...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidmytton @blaine-arcjet