Unable to see nonce value in Chrome devtools

[ghisleouf]

Hi there,

I've just installed nuxt-security module on our website and I'm having question regarding nonce generation and configuration.
As far as I could read, nonce attribute is supposed to be added on every script tag (for example) with the right value.

In our case, I can see "Content-Security-Policy" header of my request a nonce value to be set :

but ... I was expecting also that this nonce attribute value was also added to my scripts:

and this is not the case.
None of the injected scripts has nonce value.

So ... my question is (even if I think I know the answer :p) : is it the expected behavior ?

I'm running:

"nuxt": "^3.12.3",
"nuxt-security": "^2.1.5",

and nuxt security module config:

security: {
    // corsHandler: false,
    // nonce: true,
    headers: {
      // crossOriginEmbedderPolicy: 'credentialless',
      // crossOriginOpenerPolicy: 'same-origin',
      crossOriginResourcePolicy: false,
      crossOriginEmbedderPolicy: false,
      crossOriginOpenerPolicy: false,
      contentSecurityPolicy: {
        'script-src': [
          "'nonce-{{nonce}}'",
          "'strict-dynamic'",
        ],
        'style-src': ["'self'", "'unsafe-inline'"],
        'worker-src': ["'self'", 'blob:'],
        'object-src': ['blob:'],
        'img-src': ['*', 'data:'],
        'frame-ancestors': [
          'self', // and some other domains
        ],
      },
    },
  }

Thanks a lot for your help.

Best regards

[vejja]

Hi @ghisleouf
Chrome devtools is hiding the nonce value in your screenshots for security reasons, but the nonce is there
You can actually inspect if the nonces are correctly transmitted by looking at the Response tab of the Network section. They should appear in the raw HTML response alongside each script tag there.

[ghisleouf]

Come on!

You're right ! Sorry for this question ... and thanks a lot for your answer. 🤘

[vejja]

Actually this confuses a lot of people
The reason why Chrome chose to hide the nonce value in devtools is not super obvious in my opinion, but this is the way they designed it.

I'll convert this one to discussion to keep track for other users who may have the same question