From da15f3f519021f545765e01d0430d16549332750 Mon Sep 17 00:00:00 2001
From: Jens Reimann <ctron@dentrassi.de>
Date: Tue, 21 Jan 2025 09:40:31 +0100
Subject: [PATCH] fix: disable nonce creation by default

As the nonce should be unique per request, it doesn't make sense to
enable this by default, as that requires additional work on the serving
side.

On the other side, having a (static) random value isn't correct either.

So we keep the current logic, but disable nonce generation by default,
making it opt-in.

Closes #941
---
 Trunk.toml                 | 2 ++
 schemas/config.json        | 4 ++--
 src/config/models/build.rs | 8 ++------
 3 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/Trunk.toml b/Trunk.toml
index 357c1878..27342087 100644
--- a/Trunk.toml
+++ b/Trunk.toml
@@ -30,6 +30,8 @@ minify = "never" # can be one of: never, on_release, always
 no_sri = false
 # An optional cargo profile to use
 # cargo_profile = "release-trunk"
+# Allow injecting a nonce attribute
+create_nonce = false
 
 [watch]
 # Paths to watch. The `build.target`'s parent folder is watched by default.
diff --git a/schemas/config.json b/schemas/config.json
index b002e5d9..41bc1737 100644
--- a/schemas/config.json
+++ b/schemas/config.json
@@ -10,7 +10,7 @@
         "all_features": false,
         "allow_self_closing_script": false,
         "cargo_profile": null,
-        "create_nonce": true,
+        "create_nonce": false,
         "dist": "dist",
         "filehash": true,
         "frozen": false,
@@ -120,7 +120,7 @@
         },
         "create_nonce": {
           "description": "Create 'nonce' attributes with a placeholder.",
-          "default": true,
+          "default": false,
           "type": "boolean"
         },
         "dist": {
diff --git a/src/config/models/build.rs b/src/config/models/build.rs
index e508d8fe..1cb078aa 100644
--- a/src/config/models/build.rs
+++ b/src/config/models/build.rs
@@ -153,7 +153,7 @@ pub struct Build {
     pub allow_self_closing_script: bool,
 
     /// Create 'nonce' attributes with a placeholder.
-    #[serde(default = "default::create_nonce")]
+    #[serde(default)]
     pub create_nonce: bool,
 
     /// The placeholder which is used in the 'nonce' attribute.
@@ -230,7 +230,7 @@ impl Default for Build {
             minify: Default::default(),
             no_sri: false,
             allow_self_closing_script: false,
-            create_nonce: true,
+            create_nonce: false,
             nonce_placeholder: default::nonce_placeholder(),
         }
     }
@@ -256,10 +256,6 @@ mod default {
         true
     }
 
-    pub const fn create_nonce() -> bool {
-        true
-    }
-
     pub fn nonce_placeholder() -> String {
         "{{__TRUNK NONCE__}}".to_string()
     }