fix: disable nonce creation by default

ctron · ctron · commit da15f3f51902 · 2025-01-21T13:11:15.000Z
As the nonce should be unique per request, it doesn't make sense to enable this by default, as that requires additional work on the serving side. On the other side, having a (static) random value isn't correct either. So we keep the current logic, but disable nonce generation by default, making it opt-in. Closes #941
diff --git a/Trunk.toml b/Trunk.toml
@@ -30,6 +30,8 @@ minify = "never" # can be one of: never, on_release, always
 no_sri = false
 # An optional cargo profile to use
 # cargo_profile = "release-trunk"
+# Allow injecting a nonce attribute
+create_nonce = false
 
 [watch]
 # Paths to watch. The `build.target`'s parent folder is watched by default.
diff --git a/schemas/config.json b/schemas/config.json
@@ -10,7 +10,7 @@
         "all_features": false,
         "allow_self_closing_script": false,
         "cargo_profile": null,
-        "create_nonce": true,
+        "create_nonce": false,
         "dist": "dist",
         "filehash": true,
         "frozen": false,
@@ -120,7 +120,7 @@
         },
         "create_nonce": {
           "description": "Create 'nonce' attributes with a placeholder.",
-          "default": true,
+          "default": false,
           "type": "boolean"
         },
         "dist": {
diff --git a/src/config/models/build.rs b/src/config/models/build.rs
@@ -153,7 +153,7 @@ pub struct Build {
     pub allow_self_closing_script: bool,
 
     /// Create 'nonce' attributes with a placeholder.
-    #[serde(default = "default::create_nonce")]
+    #[serde(default)]
     pub create_nonce: bool,
 
     /// The placeholder which is used in the 'nonce' attribute.
@@ -230,7 +230,7 @@ impl Default for Build {
             minify: Default::default(),
             no_sri: false,
             allow_self_closing_script: false,
-            create_nonce: true,
+            create_nonce: false,
             nonce_placeholder: default::nonce_placeholder(),
         }
     }
@@ -256,10 +256,6 @@ mod default {
         true
     }
 
-    pub const fn create_nonce() -> bool {
-        true
-    }
-
     pub fn nonce_placeholder() -> String {
         "{{__TRUNK NONCE__}}".to_string()
     }

Original file line number	Diff line number	Diff line change
`@@ -153,7 +153,7 @@ pub struct Build {`
`153`	`153`	`pub allow_self_closing_script: bool,`
`154`	`154`
`155`	`155`	`/// Create 'nonce' attributes with a placeholder.`
`156`		`- #[serde(default = "default::create_nonce")]`
	`156`	`+ #[serde(default)]`
`157`	`157`	`pub create_nonce: bool,`
`158`	`158`
`159`	`159`	`/// The placeholder which is used in the 'nonce' attribute.`
`@@ -230,7 +230,7 @@ impl Default for Build {`
`230`	`230`	`minify: Default::default(),`
`231`	`231`	`no_sri: false,`
`232`	`232`	`allow_self_closing_script: false,`
`233`		`- create_nonce: true,`
	`233`	`+ create_nonce: false,`
`234`	`234`	`nonce_placeholder: default::nonce_placeholder(),`
`235`	`235`	`}`
`236`	`236`	`}`
`@@ -256,10 +256,6 @@ mod default {`
`256`	`256`	`true`
`257`	`257`	`}`
`258`	`258`
`259`		`- pub const fn create_nonce() -> bool {`
`260`		`- true`
`261`		`- }`
`262`		`-`
`263`	`259`	`pub fn nonce_placeholder() -> String {`
`264`	`260`	`"{{__TRUNK NONCE__}}".to_string()`
`265`	`261`	`}`