Skip to content

Does it support nonce? #377

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
caub opened this issue Feb 14, 2022 · 6 comments
Open

Does it support nonce? #377

caub opened this issue Feb 14, 2022 · 6 comments
Labels
enhancement New feature or request

Comments

@caub
Copy link

caub commented Feb 14, 2022

For CSP, I'd like to do AnalyticsBrowser.load({ writeKey, nonce }) where nonce is a CSP nonce passed to allow specific scripts
@pooyaj
Copy link
Contributor

pooyaj commented Feb 17, 2022

Thanks @caub, that's a great suggestion, I'll add to our backlog to add.

@yordis
Copy link
Contributor

yordis commented Apr 6, 2022

@pooyaj can I follow the same patterns as the _url thing? The amount of manual CSP entries today is killing us right now ... almost everything is injected by Segment.

@pooyaj
Copy link
Contributor

pooyaj commented Apr 6, 2022

@yordis yes! a PR is appreciated 🙌

@pooyaj pooyaj added the enhancement New feature or request label Aug 5, 2022
@yakovenkodenis
Copy link

yakovenkodenis commented Jan 2, 2025
edited
Loading

Are there any plans on adding the nonce support? The issue has been open for 3 years already...

@yordis
Copy link
Contributor

yordis commented Jan 2, 2025

@yakovenkodenis I am not using Segment at the moment, take the lead and open a PR, I can assist if I still remember how

@yakovenkodenis
Copy link

What I have currently tried locally is add nonce property to the InitOptions interface and pass that down to the loadScript function that accepts optional attributes object as a second parameter.

// packages/browser/src/core/analytics/index.ts
export interface InitOptions {
  nonce?: string
  ....
}

// packages/browser/src/plugins/ajs-destination/index.ts
export class LegacyDestination implements InternalPluginWithAddMiddleware {
...
  async load(ctx: Context, analyticsInstance: Analytics): Promise<void> {
    ...
    const integrationSource =
      this.integrationSource ??
      (await loadIntegration(
        ctx,
        this.name,
        this.version,
        this.options.obfuscate,
        { ...(this.options.nonce ? { nonce: this.options.nonce } : {}) } // this line is new
      ))
    ...
  }
...
}

// packages/browser/src/plugins/ajs-destination/loader.ts
...
export async function loadIntegration(
  ctx: Context,
  name: string,
  version: string,
  obfuscate?: boolean,
  attributes?: Record<string, string> // this parameter is new
): Promise<ClassicIntegrationSource> {
  ...
  try {
    await loadScript(fullPath, attributes) // passing the attributes object with `nonce`
    ...
}
...

This appears to work when calling new LegacyDestination(......) (the nonce parameter is set on the script tag), but I got stuck with passing the options object from AnalyticsBrowser.load(...) and basically connecting the dots on how calling new Analytics() triggers loading integrations.

I thought that in the end the path from AnalyticsBrowser.load should lead me to the loadScript(src, attrs) call somehow, but it didn't.

Specifically, I was looking at the following files:

  • packages/browser/src/browser/index.ts (loadAnalytics function`)
  • packages/browser/src/core/analytics/index.ts (new Analytics(...) accepts InitOptions where the nonce value can be passed)

@Grohden Grohden mentioned this issue May 19, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pooyaj @caub @yordis @yakovenkodenis