Allow nonce in reCaptcha

[kesara]

Issue: #311
This adds a nonce attribute to script tag, which can be set via

RecaptchaField(nonce='<nonce>')

In order to use this, Flask app has to provide the nonce value via header.
Example:

 Content-Security-Policy: object-src 'none'; script-src 'nonce-<nonce>'

[codecov-io]

Codecov Report

Merging #312 into master will increase coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #312      +/-   ##
==========================================
+ Coverage   99.66%   99.66%   +<.01%     
==========================================
  Files          18       18              
  Lines         894      908      +14     
  Branches       74       75       +1     
==========================================
+ Hits          891      905      +14     
  Misses          3        3

Impacted Files	Coverage Δ
tests/test_recaptcha.py	100% <100%> (ø)	⬆️
flask_wtf/recaptcha/fields.py	100% <100%> (ø)	⬆️
flask_wtf/recaptcha/widgets.py	100% <100%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6d4c1dc...09fb2b6. Read the comment docs.

[lepture]

@kesara You need to add documentation for nonce.

[pogliamarci]

Hi @kesara, I was looking at this patch to integrate it in a small project of mine that uses nonce-based CSP. I was wondering, why is the nonce parameter to RecaptchaField used as a string rather than being a callable?

I'm using custom code to generate the nonce, but from what I see also popular extensions such as flask-talisman generate the nonce as a parameter of request, so the value of the nonce is not available when instantiating the class (and it shouldn't be, as the nonce changes for every request), as it would be accessed outside Flask's request context.

Perhaps I'm missing something... how do you generate the CSP nonce to use your patch?

[kesara]

Hi @pogliamarci, I totally forgot that this PR is hanging. :(
In my use case we end up, allowing everything required for reCaptcha in CSP rules.
IIRC initial idea was to generate the nonce for every request (anyway you like) and pass it to the headers

Your plan to use flask-tailsman makes more sense, but that also means flask-wtf will have to add flask-talisman as a dependency?
May be introduce a new configuration option and use flask-tailsman if that present?

[pogliamarci]

Hi @kesara, what do you mean by “allowing everything required for recaptcha in CSP rules”? I was using your patch, but, when I instantiate a ReCaptchaField, I’m outside the request context, but the nonce is generated once per request (thus in the request context). So I would need to pass callable instead of a string to ReCaptchaField. I used flask-talisman as an example, although in my project I’m not using this extension (I have some custom code that generates the nonce in @app.before_request and puts it into request.csp_nonce). But I think that passing a function to ReCaptchaField that then grabs the CSP nonce from the right attribute of the request context should be general enough. (that said, I’m not a maintainer of this project, I just stumbled upon your PR that was useful for a project of mine)

…

On 4 Apr 2019, at 22:44, Kesara Rathnayake ***@***.***> wrote: Hi @pogliamarci <https://github.com/pogliamarci>, I totally forgot that this PR is hanging. :( In my use case we end up, allowing everything required for reCaptcha in CSP rules. IIRC initial idea was to generate the nonce for every request (anyway you like) and pass it to the headers Your plan to use flask-tailsman makes more sense, but that also means flask-wtf will have to add flask-talisman as a dependency? May be introduce a new configuration option and use flask-tailsman if that present? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#312 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABaM_KDVfrvOsUeQGtcq2QspYGn-IgQJks5vdmQ5gaJpZM4QELXQ>.