oc icon indicating copy to clipboard operation
oc copied to clipboard
verified publisher icon opencomponents

Passing nonce to inline script generated by oc-client

Open joginder0007 opened this issue 3 years ago • 1 comments

Who is the bug affecting?

API consumers

What is affected by this bug?

Content security policy blocks the script

When does this occur?

Before rendering

Where on the platform does it happen?

Client

How do we replicate the issue?

Add a CSP scriptSrc='nonce=<some_value>'

Expected behavior (i.e. solution)

oc-client should have configuration for nonce to be passed

What version of OC, Node.js and OS are you using?

oc - v0.49.12 , node version - 16.15.0

Other Comments

joginder0007 avatar Jul 28 '22 23:07 joginder0007

Doesn't this get fixed by using strict-dynamic, so instead of just doing

Content-Security-Policy: script-src 'nonce-<some_value>' adding it like this? Content-Security-Policy: script-src 'strict-dynamic' 'nonce-<some_value>'

ricardo-devis-agullo avatar Dec 17 '22 11:12 ricardo-devis-agullo