Passing nonce to inline script generated by oc-client
joginder0007 opened this issue · 1 comments
joginder0007 commented
Who is the bug affecting?
API consumers
What is affected by this bug?
Content security policy blocks the script
When does this occur?
Before rendering
Where on the platform does it happen?
Client
How do we replicate the issue?
Add a CSP scriptSrc='nonce=<some_value>'
Expected behavior (i.e. solution)
oc-client should have configuration for nonce to be passed
What version of OC, Node.js and OS are you using?
oc - v0.49.12 , node version - 16.15.0
Other Comments
ricardo-devis-agullo commented
Doesn't this get fixed by using strict-dynamic, so instead of just doing
Content-Security-Policy: script-src 'nonce-<some_value>'
adding it like this?
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-<some_value>'