From de484e5a50184c72bd643de52478fef43129d938 Mon Sep 17 00:00:00 2001 From: Ben White Date: Wed, 25 Dec 2024 18:52:46 +0000 Subject: [PATCH 1/2] Added nonce docs --- .../docs/advanced/content-security-policy.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/contents/docs/advanced/content-security-policy.md b/contents/docs/advanced/content-security-policy.md index 98e4ff5acd98..395066a0b9a1 100644 --- a/contents/docs/advanced/content-security-policy.md +++ b/contents/docs/advanced/content-security-policy.md @@ -51,6 +51,22 @@ Depending on your compliance needs you can either: **NOTE**: This list should be enough at the time of writing. As the PostHog application changes rapidly, it is possible that other directives may be needed over time for loading the Toolbar. If you experience issues after implementing one of the above solutions, you can typically debug in the browser tools which part of the CSP is blocking requests. +## Supporting none directives + +You may choose to use a `nonce` in your CSP in order to ensure every script loaded has the correct tag for the current page load. This can be done via config option in `posthog-js` like so: + +```js +posthog.init('', { + prepare_external_dependency_script = (script) => { + script.nonce = '' + return script + } +}) +``` + +This will modify the script to be loaded before they are inserted to the DOM. Be sure to understand fully the implications of using a `nonce` and to ensure that you are using the `npm` install method or modifying the snippet to also include this nonce value. + + ## Domains used by PostHog clients > WARNING: Adding more specific domains is _not_ recommended as we may change target subdomains over time. If you do specify a non-wildcard domain, we cannot guarantee that it will continue to work in the future. From ec21113172a1b4dc8d974acbd803c8c070c1cc1f Mon Sep 17 00:00:00 2001 From: Ben White Date: Wed, 25 Dec 2024 18:53:05 +0000 Subject: [PATCH 2/2] Fixes --- contents/docs/advanced/content-security-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contents/docs/advanced/content-security-policy.md b/contents/docs/advanced/content-security-policy.md index 395066a0b9a1..9923bcd5a5ce 100644 --- a/contents/docs/advanced/content-security-policy.md +++ b/contents/docs/advanced/content-security-policy.md @@ -53,7 +53,7 @@ Depending on your compliance needs you can either: ## Supporting none directives -You may choose to use a `nonce` in your CSP in order to ensure every script loaded has the correct tag for the current page load. This can be done via config option in `posthog-js` like so: +You may choose to use a `nonce` in your CSP in order to ensure every script loaded has the matching `nonce` for the current page load. This can be done via config option in `posthog-js` like so: ```js posthog.init('', {