Sitevision Developer
Log in

Log in

Content security policy and inline javascript

As of Sitevision 2022.08.1 it is possible to use a CSP without the unsafe-inline attribute for javascripts.

Published: 2022-08-09  |  Updated: 2022-08-29

Setting nonce to run inline scripts without unsafe-inline

In Sitevision 2022.08.1 it is possible to start using a CSP without a the unsafe-inline attribute for scripts in sitevision. Just add the token <NONCE> to your policy and Sitevision will automatically create a nonce-token unique for each request.

Example script-src directive

script-src 'self' <NONCE> 'unsafe-eval';

If you add the nonce attribute to your policy, you must update all inline javascripts in your custom functionality, like webapps or script portlets. Static inline scripts in for example a HTML portlet will not work and must be converted to use a Script portlet or WebApp instead.

To get the nonce token you use the getNonce() method in PortletContextUtil in the Sitevision public API.

And in html/velocity just add the nonce attribute to your script tag

Always add nonce

As a WebApp developer, you should typically *always* add the nonce to all client script elements to ensure that your app can be executed regardless of the CSP settings of the site.