Content security policy and inline javascript
As of Sitevision 2022.08.1 it is possible to use a CSP without the unsafe-inline attribute for javascripts.
Setting nonce to run inline scripts without unsafe-inline
In Sitevision 2022.08.1 it is possible to start using a CSP without a the unsafe-inline attribute for scripts in sitevision. Just add the token <NONCE>
to your policy and Sitevision will automatically create a nonce-token unique for each request.
Example script-src directive
script-src 'self' <NONCE> 'unsafe-eval';
If you add the nonce attribute to your policy, you must update all inline javascripts in your custom functionality, like webapps or script portlets. Static inline scripts in for example a HTML portlet will not work and must be converted to use a Script portlet or WebApp instead.
To get the nonce token you use the getNonce() method in PortletContextUtil in the Sitevision public API.
And in html/velocity just add the nonce attribute to your script tag
Always add nonce
As a WebApp developer, you should typically *always* add the nonce to all client script elements to ensure that your app can be executed regardless of the CSP settings of the site.