Content security policy and inline javascript

As of Sitevision 2022.08.1 it is possible to use a CSP without the unsafe-inline attribute for javascripts.

Setting nonce to run inline scripts without unsafe-inline

In Sitevision 2022.08.1 it is possible to start using a CSP without a the unsafe-inline attribute for scripts in sitevision. Just add the token <NONCE> to your policy and Sitevision will automatically create a nonce-token unique for each request.

Example script-src directive

script-src 'self' <NONCE> 'unsafe-eval';

If you add the nonce attribute to your policy, you must update all inline javascripts in your custom functionality, like webapps or script portlets. Static inline scripts in for example a HTML portlet will not work and must be converted to use a Script portlet or WebApp instead.

To get the nonce token you use the getNonce() method in PortletContextUtil in the Sitevision public API.

// javascript
const portletContextUtil = require('PortletContextUtil');
const nonce = portletContextUtil.getNonce();

And in html/velocity just add the nonce attribute to your script tag

## velocity
<script nonce="$nonce">
   // script content...
</script>

Always add nonce

As a WebApp developer, you should typically *always* add the nonce to all client script elements to ensure that your app can be executed regardless of the CSP settings of the site.

Do you want to subscribe to News from Sitevision Developer team? Subscribe here!