canada-ca.github.io icon indicating copy to clipboard operation
canada-ca.github.io copied to clipboard
verified publisher icon canada-ca

Content Security Policy issue

Open dfjackson opened this issue 6 years ago • 0 comments

I'm trying to implement content security policy but I can't remove 'unsafe-eval' or 'unsafe-inline' from the script-src in the policy because of this code from the canada.ca template:

Even if I add a nonce to this script element, the browser won't execute it because it is dynamically generated. Here's the error message from Chrome:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-eg0dg+TpLV67vNU12mvTsFbA' 'unsafe-eval' https://www.canada.ca https://cdnjs.cloudflare.com https://www.googletagmanager.com https://ajax.googleapis.com https://www.google-analytics.com". Either the 'unsafe-inline' keyword, a hash ('sha256-VdTQZOOA6p1QIhBQM+axlBd0ikS+W/fho1WFPEVTcdA='), or a nonce ('nonce-...') is required to enable inline execution.

Does anybody have any guidance on how to implement CSP without the "unsafe" sources?

dfjackson avatar Feb 05 '20 15:02 dfjackson