feat: add nonce attribute (#62)

Author: jpoehnelt

examples/index.html

@@ -18,6 +18,11 @@
 <html>
   <head>
     <meta http-equiv="content-type" content="text/html; charset=utf-8" />
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="script-src 'nonce-caffe67d7b989af3a1c7f4a1a6c79bd9fb2b4eb0'"
+    />
+
     <title>Loader Example</title>
     <style>
       html,
@@ -28,9 +33,16 @@
         padding: 0;
       }
     </style>
-    <script type="text/javascript" src="../dist/index.dev.js"></script>
+    <script
+      nonce="caffe67d7b989af3a1c7f4a1a6c79bd9fb2b4eb0"
+      type="text/javascript"
+      src="../dist/index.dev.js"
+    ></script>
 
-    <script type="text/javascript">
+    <script
+      nonce="caffe67d7b989af3a1c7f4a1a6c79bd9fb2b4eb0"
+      type="text/javascript"
+    >
       const mapOptions = {
         center: {
           lat: 0,
@@ -43,6 +55,7 @@
         apiKey: "",
         version: "weekly",
         libraries: ["places"],
+        nonce: "caffe67d7b989af3a1c7f4a1a6c79bd9fb2b4eb0",
       });
 
       // Promise
@@ -68,6 +81,5 @@
 
   <body>
     <div id="map" class="map"></div>
-    <div id="map2" class="map"></div>
   </body>
 </html>

src/index.test.ts

@@ -17,7 +17,7 @@
 import { Loader, LoaderOptions } from ".";
 
 afterEach(() => {
-  document.getElementsByTagName('html')[0].innerHTML = ''; 
+  document.getElementsByTagName("html")[0].innerHTML = "";
 });
 
 test.each([
@@ -65,8 +65,8 @@ test("setScript adds a script to head with correct attributes", () => {
 });
 
 test("setScript does not add second script with same id", () => {
-  new Loader({ apiKey: "foo", id: "bar" })['setScript']();
-  new Loader({ apiKey: "foo", id: "bar" })['setScript']();
+  new Loader({ apiKey: "foo", id: "bar" })["setScript"]();
+  new Loader({ apiKey: "foo", id: "bar" })["setScript"]();
 
   expect(document.head.childNodes.length).toBe(1);
 });
@@ -143,3 +143,11 @@ test("loader should wait if already loading", () => {
 
   loader.load();
 });
+
+test("setScript adds a nonce", () => {
+  const nonce = "bar";
+  const loader = new Loader({ apiKey: "foo", nonce });
+  loader["setScript"]();
+  const script = document.head.childNodes[0] as HTMLScriptElement;
+  expect(script.nonce).toBe(nonce);
+});

src/index.ts

@@ -144,6 +144,10 @@ export interface LoaderOptions {
    * Use a custom url and path to load the Google Maps API script.
    */
   url?: string;
+  /**
+   * Use a cryptographic nonce attribute.
+   */
+  nonce?: string;
 }
 
 /**
@@ -197,6 +201,11 @@ export class Loader {
    */
   mapIds: string[];
 
+  /**
+   * See [[LoaderOptions.nonce]]
+   */
+  nonce: string | null;
+
   /**
    * See [[LoaderOptions.url]]
    */
@@ -225,6 +234,7 @@ export class Loader {
     region,
     version,
     mapIds,
+    nonce,
     url = "https://maps.googleapis.com/maps/api/js",
   }: LoaderOptions) {
     this.version = version;
@@ -234,6 +244,7 @@ export class Loader {
     this.language = language;
     this.region = region;
     this.mapIds = mapIds;
+    this.nonce = nonce;
     this.url = url;
   }
   /**
@@ -311,9 +322,9 @@ export class Loader {
   private setScript(): void {
     if (this.id && document.getElementById(this.id)) {
       this.callback();
-      return;      
+      return;
     }
-    
+
     const url = this.createUrl();
     const script = document.createElement("script");
     script.id = this.id;
@@ -322,6 +333,11 @@ export class Loader {
     script.onerror = this.loadErrorCallback.bind(this);
     script.defer = true;
     script.async = true;
+
+    if (this.nonce) {
+      script.nonce = this.nonce;
+    }
+
     document.head.appendChild(script);
   }