How can I use a CSP nonce with SolidStart?

[peterhirn]

Sorry if I'm missing a obvious solution here.

I'm trying to create a per-request nonce for CSP as suggested here: https://content-security-policy.com/nonce/

I figured out that renderAsync accepts a nonce as option:

entry-server.tsx

export default createHandler(
  renderAsync((event) => <StartServer event={event} />, { nonce: crypto.randomUUID() })
)

But how can I access this value later when generating eg. the CSP header or other things like fixed header scripts?

root.tsx

export default function Root() {
  const nonce = "???"

  return (
    <>
      <HttpHeader name="Content-Security-Policy" value={csp(nonce)} />
      <Html lang="en">
        <Head>
          <Meta charset="utf-8" />
          <CustomHeaderScript nonce={nonce} />
  ...

I tried using a custom middleware to store the nonce in locals which I could later access using useRequest, but I can't access the event in the option section of renderAsync

export default createHandler(
  ({ forward }) => {
    return async (event) => {
      event.locals.nonce = crypto.randomUUID()
      return forward(event)
    }
  },
  renderAsync((event) => <StartServer event={event} />, { nonce: ??? })
)

Any advice would be appreciated.

[ryansolid]

Right. We didn't work through this as of yet. I guess you could recreate the renderAsync middleware and directly patch the render call. But we need a solution for this.

[peterhirn]

Hi Ryan. Thanks for your response.

I played around with patching renderAsync a bit and found out that my initial approach won't even work on Cloudflare:

export default createHandler(
  renderAsync((event) => <StartServer event={event} />, { nonce: crypto.randomUUID() })
)

service core:user:myapp: Uncaught Error: Some functionality, such as asynchronous I/O, timeouts, and generating random values, can only be performed while handling a request.
  at server.js:10569:19
X [ERROR] MiniflareCoreError [ERR_RUNTIME_FAILURE]: The Workers runtime failed to start. There is likely additional logging output above.

So on Cloudflare the nonce can only be generated in a request context.

I ended up with this patch to solid-start

diff --git a/entry-server/render.ts b/entry-server/render.ts
index 0b70260b118b6de4995dcfdd155fae6ba721f0e8..8480c9047d832dd5a341b9ef239a01a00907ef31 100644
--- a/entry-server/render.ts
+++ b/entry-server/render.ts
@@ -47,12 +47,7 @@ export function renderSync(
 }
 
 export function renderAsync(
-  fn: (context: PageEvent) => JSX.Element,
-  options?: {
-    timeoutMs?: number;
-    nonce?: string;
-    renderId?: string;
-  }
+  fn: (context: PageEvent) => JSX.Element
 ) {
   return () => apiRoutes({
     forward: inlineServerFunctions({
@@ -70,7 +65,7 @@ export function renderAsync(
 
         let pageEvent = createPageEvent(event);
 
-        let markup = await renderToStringAsync(() => fn(pageEvent), options);
+        let markup = await renderToStringAsync(() => fn(pageEvent), event.locals.options);
 
         if (pageEvent.routerContext && pageEvent.routerContext.url) {
           return redirect(pageEvent.routerContext.url, {

Now setting the options in a middleware

export default createHandler(
  ({ forward }) => {
    return async (event) => {
      event.locals.options = { nonce: crypto.randomUUID() }
      return forward(event)
    }
  },
  renderAsync((event) => <StartServer event={event} />)
)

and get the nonce in root.tsx

function useNonce() {
  if (isServer) return useRequest().locals?.options?.nonce as string
  return ""
}

export default function Root() {
  const nonce = useNonce()
  ...

Looking forward to your next stream ❤

[peterhirn]

I'm currently trying to make CSP work with SolidStart 1.0

After adding this extremely simple middleware

import { createMiddleware } from "@solidjs/start/middleware";

export default createMiddleware({
  onRequest: [
    (event) => {
      // @ts-ignore
      event.nonce = crypto.randomUUID();
    }
  ]
});

the random nonce is automatically added to almost every script tag, except:

• the HydrationScript (nonce not propagated to sharedConfig.context?)
• the /_build/assets/index-xxx.js modulepreload script

I'll investigate this further and update this post if I can make it work on my own. Any help would be appreciated 🙏

[mdynnl]

createHandler now accepts { nonce?: string } in 2nd param options | event => options. This also passes nonce to HydrationScript through hydration context whereas event.nonce is used for other scripts.

export default createHandler(
  () => ...,
  event => {
    const nonce = crypto.randomUUID();

    event.response.headers.set(
      "Content-Security-Policy",
      [
        `script-src 'nonce-${nonce}' 'strict-dynamic'`,
        `object-src 'none'`,
        `base-uri 'none'`,
      ].join(";")
    );

    return { nonce };
  }
)

can't seem to reproduce modulepreload script though, please provide if possible. but it might be related to this.

solid-start/packages/start/src/server/StartServer.tsx

Line 72 in 1ec5e29

useAssets(() => (assets.length ? assets.map(m => renderAsset(m)) : undefined));