It would be useful if you could expose an API property to objects that are loading script files on-demand, allowing the developer to add a dynamic HTML “nonce” attribute to the [script] element. This will enable CSP (content security policy) protection to be enforced with nonces on external script files.
Examples where this is relevant in the webix library are:
- webix.require()
- loading of [//www.gstatic.com/charts/loader.js] for geoChart
- loading of [//maps.google.com/maps/api/js] for googleMap
The way the google libraries work is that the parent script will pass on its “nonce” attribute to all child scripts it will be loading, ensuring a chain of protection on external scripts.