Cospex wants to make it easier to use modern Content-Security-Policy in your Phoenix applications, including with Phoenix Live View.
Cospex supports generating a nonce for better security.
At the moment, Cospex is not yet in hex.pm, so you would have to add a dependency to this git repository:
def deps do
[
# ...,
{:cospex, git: "https://github.com/braunse/cospex.git"},
# ...,
]
To enable it, add the Cospex Plug to your router:
pipeline :browser do
# ...
plug Cospex.Plug,
default_src: [:self, :nonce],
script_src: [:self, :strict_dynamic, :nonce]
endAnd further, to output <script> and <link> tags with the correct nonce,
switch to the helper functions in Cospex.ViewHelpers:
<%= Cospex.ViewHelpers.style_tag(@conn, "/js/app.css") %>
<%= Cospex.ViewHelpers.script_tag(@conn, "/js/app.js") %>