[docs] Weak CSP nonce guidance

[rossdakin]

Related page

https://mui.com/material-ui/guides/content-security-policy/

Kind of issue

Other

Issue description

The current documentation says:

A CSP nonce is a Base 64 encoded string. You can generate one like this:

import uuidv4 from 'uuid/v4';

const nonce = new Buffer(uuidv4()).toString('base64');

You must use UUID version 4, as it generates an unpredictable string.

This generates a random string with 122 bits of entropy, which is less than the 128 bits prescribed by the Content Security Policy Level 3
W3C Working Draft:

The generated value SHOULD be at least 128 bits long (before encoding), and SHOULD be generated via a cryptographically secure random number generator in order to ensure that the value is difficult for an attacker to predict.

Better implementation guidance might be:

import crypto from 'crypto';

const nonce = crypto.randomBytes(16).toString('base64'); // 128 bits of entropy

It's also worth noting that new Buffer(array) is deprecated as of Node 6.0.0.

Context

No response

Search keywords: security,CSP,nonce,crypto,randomness

[github-actions]

This issue has been closed. If you have a similar problem but not exactly the same, please open a new issue.
Now, if you have additional information related to this issue or things that could help future readers, feel free to leave a comment.