Passing nonce to inline script generated by oc-client

Question

Passing nonce to inline script generated by oc-client

joginder0007 opened this issue 2 years ago · 1 comments

joginder0007 commented 2 years ago

Who is the bug affecting?

API consumers

What is affected by this bug?

Content security policy blocks the script

When does this occur?

Before rendering

Where on the platform does it happen?

Client

How do we replicate the issue?

Add a CSP scriptSrc='nonce=<some_value>'

Expected behavior (i.e. solution)

oc-client should have configuration for nonce to be passed

What version of OC, Node.js and OS are you using?

oc - v0.49.12 , node version - 16.15.0

Other Comments

Answer 1 · 2022-12-17T11:18:02.000Z

Doesn't this get fixed by using strict-dynamic, so instead of just doing

Content-Security-Policy: script-src 'nonce-<some_value>'
adding it like this?
Content-Security-Policy: script-src 'strict-dynamic' 'nonce-<some_value>'