Remove img nonce and update deps

dev.exs

@@ -480,7 +480,6 @@ defmodule DemoWeb.Router do
         components: DemoWeb.GraphShowcasePage
       ],
       csp_nonce_assign_key: %{
-        img: :img_csp_nonce,
         style: :style_csp_nonce,
         script: :script_csp_nonce
       },
@@ -493,18 +492,21 @@ defmodule DemoWeb.Router do
     )
   end
 
+  defp nonce do
+    16 |> :crypto.strong_rand_bytes() |> Base.url_encode64(padding: false)
+  end
+
   def put_csp(conn, _opts) do
-    [img_nonce, style_nonce, script_nonce] =
-      for _i <- 1..3, do: 16 |> :crypto.strong_rand_bytes() |> Base.url_encode64(padding: false)
+    style_nonce = nonce()
+    script_nonce = noonce()
 
     conn
-    |> assign(:img_csp_nonce, img_nonce)
     |> assign(:style_csp_nonce, style_nonce)
     |> assign(:script_csp_nonce, script_nonce)
     |> put_resp_header(
       "content-security-policy",
       "default-src; script-src 'nonce-#{script_nonce}'; style-src-elem 'nonce-#{style_nonce}'; " <>
-        "img-src 'nonce-#{img_nonce}' data: ; font-src data: ; connect-src 'self'; frame-src 'self' ;"
+        "img-src data: ; font-src data: ; connect-src 'self'; frame-src 'self' ;"
     )
   end
 end

lib/phoenix/live_dashboard/layout_view.ex

@@ -6,7 +6,7 @@ defmodule Phoenix.LiveDashboard.LayoutView do
 
   def render("dash.html", assigns), do: dash(assigns)
 
-  defp csp_nonce(conn, type) when type in [:script, :style, :img] do
+  defp csp_nonce(conn, type) when type in [:script, :style] do
     csp_nonce_assign_key = conn.private.csp_nonce_assign_key[type]
     conn.assigns[csp_nonce_assign_key]
   end

lib/phoenix/live_dashboard/page_builder.ex

@@ -172,10 +172,10 @@ defmodule Phoenix.LiveDashboard.PageBuilder do
   > You should use those when including scripts or styles like this:
   >
   > ```heex
-  > <script nonce={@csp_nonces[:script]}>...</script>
-  > <script nonce={@csp_nonces[:script]} src="..."></script>
-  > <style nonce={@csp_nonces[:style]}>...</style>
-  > <link rel="stylesheet" href="..." nonce={@csp_nonces[:style]}>
+  > <script nonce={@csp_nonces.script}>...</script>
+  > <script nonce={@csp_nonces.script} src="..."></script>
+  > <style nonce={@csp_nonces.style}>...</style>
+  > <link rel="stylesheet" href="..." nonce={@csp_nonces.style}>
   > ```
   >
   > This ensures that your custom page can be used when a CSP is in place using the mechanism

lib/phoenix/live_dashboard/router.ex

@@ -300,7 +300,7 @@ defmodule Phoenix.LiveDashboard.Router do
     csp_nonce_assign_key =
       case options[:csp_nonce_assign_key] do
         nil -> nil
-        key when is_atom(key) -> %{img: key, style: key, script: key}
+        key when is_atom(key) -> %{style: key, script: key}
         %{} = keys -> Map.take(keys, [:img, :style, :script])
       end
 
@@ -404,7 +404,6 @@ defmodule Phoenix.LiveDashboard.Router do
       "allow_destructive_actions" => allow_destructive_actions,
       "requirements" => requirements |> Enum.concat() |> Enum.uniq(),
       "csp_nonces" => %{
-        img: conn.assigns[csp_nonce_assign_key[:img]],
         style: conn.assigns[csp_nonce_assign_key[:style]],
         script: conn.assigns[csp_nonce_assign_key[:script]]
       }

test/phoenix/live_dashboard/components/title_bar_component_test.exs

@@ -11,13 +11,13 @@
         render_component(TitleBarComponent,
           percent: 0.1,
           class: "test-class",
-          csp_nonces: %{img: "img_nonce", style: "style_nonce", script: "script_nonce"},
+          csp_nonces: %{style: "style_nonce", script: "script_nonce"},
           dom_id: "title-bar",
           inner_block: [%{slot: :__inner_block__, inner_block: fn _, _ -> "123" end}]
         )
 
       assert result =~ "123"
       assert result =~ ~R|<style nonce="style_nonce">\s*#.*\{width:0.1%\}|
       assert result =~ "div class=\"test-class\""
     end
   end

test/phoenix/live_dashboard/page_builder_test.exs

@@ -112,7 +112,7 @@ defmodule Phoenix.LiveDashboard.PageBuilderTest do
         hint="test-hint"
         inner_hint="test-inner-hint"
         total_formatter={&"test-format-#{&1}"}
-        csp_nonces={%{img: "img_nonce", style: "style_nonce", script: "script_nonce"}}
+        csp_nonces={%{style: "style_nonce", script: "script_nonce"}}
       />
       """)
 
@@ -149,7 +149,7 @@ defmodule Phoenix.LiveDashboard.PageBuilderTest do
         dom_id="test-dom-id"
         title="test-title"
         hint="test-hint"
-        csp_nonces={%{img: "img_nonce", style: "style_nonce", script: "script_nonce"}}
+        csp_nonces={%{style: "style_nonce", script: "script_nonce"}}
       >
         <:usage
           current={10}

test/phoenix/live_dashboard/router_test.exs

@@ -43,7 +43,6 @@ defmodule Phoenix.LiveDashboard.RouterTest do
              %{
                live_socket_path: "/custom/live",
                csp_nonce_assign_key: %{
-                 img: :csp_nonce,
                  style: :csp_nonce,
                  script: :csp_nonce
                }
@@ -54,18 +53,16 @@ defmodule Phoenix.LiveDashboard.RouterTest do
     assert route_opts(
              live_socket_path: "/custom/live",
              csp_nonce_assign_key: %{
-               img: :img_csp_none,
-               style: :style_csp_none,
-               script: :script_csp_none,
+               style: :style_csp_nonce,
+               script: :script_csp_nonce,
                other: :unused
              }
            )[:private] ==
              %{
                live_socket_path: "/custom/live",
                csp_nonce_assign_key: %{
-                 img: :img_csp_none,
-                 style: :style_csp_none,
-                 script: :script_csp_none
+                 style: :style_csp_nonce,
+                 script: :script_csp_nonce
                }
              }
   end
@@ -363,37 +360,33 @@ defmodule Phoenix.LiveDashboard.RouterTest do
 
     test "loads nonces when key present" do
       assert %{
-               "csp_nonces" => %{img: "img_nonce", script: "script_nonce", style: "style_nonce"}
+               "csp_nonces" => %{script: "script_nonce", style: "style_nonce"}
              } =
                build_conn()
-               |> Plug.Conn.assign(:img_nonce, "img_nonce")
                |> Plug.Conn.assign(:style_nonce, "style_nonce")
                |> Plug.Conn.assign(:script_nonce, "script_nonce")
                |> csp_session(%{
-                 img: :img_nonce,
                  style: :style_nonce,
                  script: :script_nonce
                })
     end
 
     test "loads nil nonces when assign present" do
       assert %{
-               "csp_nonces" => %{img: nil, script: nil, style: nil}
+               "csp_nonces" => %{script: nil, style: nil}
              } =
                build_conn()
                |> csp_session(%{
-                 img: :img_nonce,
                  style: :style_nonce,
                  script: :script_nonce
                })
     end
 
     test "loads nil nonces when key absent" do
       assert %{
-               "csp_nonces" => %{img: nil, script: nil, style: nil}
+               "csp_nonces" => %{script: nil, style: nil}
              } =
                build_conn()
-               |> Plug.Conn.assign(:img_nonce, "img_nonce")
                |> Plug.Conn.assign(:style_nonce, "style_nonce")
                |> Plug.Conn.assign(:script_nonce, "script_nonce")
                |> csp_session()

test/phoenix/live_dashboard_test.exs

@@ -17,19 +17,16 @@ defmodule Phoenix.LiveDashboardTest do
   test "embeds csp nonces" do
     html =
       build_conn()
-      |> assign(:img_csp_nonce, "img_nonce")
       |> assign(:script_csp_nonce, "script_nonce")
       |> assign(:style_csp_nonce, "style_nonce")
       |> get("/dashboard/home")
       |> html_response(200)
 
-    refute html =~ "img_nonce"
     refute html =~ "script_nonce"
     refute html =~ "style_nonce"
 
     html =
       build_conn()
-      |> assign(:img_csp_nonce, "img_nonce")
       |> assign(:script_csp_nonce, "script_nonce")
       |> assign(:style_csp_nonce, "style_nonce")
       |> get("/config/nonode@nohost/home")

test/test_helper.exs

@@ -90,7 +90,6 @@ defmodule Phoenix.LiveDashboardTest.Router do
     live_dashboard "/config",
       live_socket_path: "/custom/live",
       csp_nonce_assign_key: %{
-        img: :img_csp_nonce,
         style: :style_csp_nonce,
         script: :script_csp_nonce
       },