[google_identity_services_web] Set nonce properly in loadWebSdk(). #8069
Conversation
|
It looks like this pull request may not have tests. Please make sure to add tests before merging. If you need an exemption, contact "@test-exemption-reviewer" in the #hackers channel in Discord (don't just cc them here, they won't see it!). If you are not sure if you need tests, consider this rule of thumb: the purpose of a test is to make sure someone doesn't accidentally revert the fix. Ask yourself, is there anything in your PR that you feel it is important we not accidentally revert back to how it was before your fix? Reviewers: Read the Tree Hygiene page and make sure this patch meets those guidelines before LGTMing. The test exemption team is a small volunteer group, so all reviewers should feel empowered to ask for tests, without delegating that responsibility entirely to the test exemption group. |
* Adds a `nonce` parameter to the `loadWebSdk` method. * Applies the `nonce` regardless of TrustedTypes being available or not (this is a CSP feature, more widely available than TTs) * Does not attempt to validate the `nonce` value, the browser should complain instead (in practice, any value seems valid, see tests) * Adds unit tests (dart test --platform chrome)
There was a problem hiding this comment.
LGTM, thanks for the fix!
(PS: we probably should do this across all the packages that automatically load the JS into the page... and extract the JS Loading logic to its own package so we can share the logic across all packages that load JS into the page :P I'll create a separate issue for that)
auto-submit
bot
removed
the
autosubmit
flutter/packages@b9ac917...b164be3 2024-11-14 magder@google.com Remove packages/platform from dependabot config (flutter/packages#8099) 2024-11-14 magder@google.com Ignore dependabot minor and patch updates of Kotlin mocking library (flutter/packages#8056) 2024-11-14 paulberry@google.com [google_identity_services_web] Set nonce properly in loadWebSdk(). (flutter/packages#8069) 2024-11-14 engine-flutter-autoroll@skia.org Roll Flutter (stable) from 6031040 to dec2ee5 (4 revisions) (flutter/packages#8084) If this roll has caused a breakage, revert this CL and stop the roller using the controls here: https://autoroll.skia.org/r/flutter-packages-flutter-autoroll Please CC flutter-ecosystem@google.com on the revert to ensure that a human is aware of the problem. To file a bug in Flutter: https://github.com/flutter/flutter/issues/new/choose To report a problem with the AutoRoller itself, please file a bug: https://issues.skia.org/issues/new?component=1389291&template=1850622 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
This PR adds logic to
google_identity_services_web/lib/src/js_loader.dartto cause thenonceproperty to be property set when creating new script elements.Pre-launch Checklist
dart format.)[shared_preferences]pubspec.yamlwith an appropriate new version according to the pub versioning philosophy, or this PR is exempt from version changes.CHANGELOG.mdto add a description of the change, following repository CHANGELOG style, or this PR is exempt from CHANGELOG changes.///).If you need help, consider asking for advice on the #hackers-new channel on Discord.