Skip to content
Logotype Sitevision Developer
Log in
Log in

Content security policy and inline javascript

As of Sitevision 2022.08.1 it is possible to use a CSP without the unsafe-inline attribute for javascripts.

Published: 2022-08-09  |  Updated: 2022-08-29

Setting nonce to run inline scripts without unsafe-inline

In Sitevision 2022.08.1 it is possible to start using a CSP without a the unsafe-inline attribute for scripts in sitevision. Just add the token <NONCE> to your policy and Sitevision will automatically create a nonce-token unique for each request.

Example script-src directive

script-src 'self' <NONCE> 'unsafe-eval';

If you add the nonce attribute to your policy, you must update all inline javascripts in your custom functionality, like webapps or script portlets. Static inline scripts in for example a HTML portlet will not work and must be converted to use a Script portlet or WebApp instead.

To get the nonce token you use the getNonce() method in PortletContextUtil in the Sitevision public API.

js
// javascript const portletContextUtil = require('PortletContextUtil'); const nonce = portletContextUtil.getNonce();

And in html/velocity just add the nonce attribute to your script tag

vm
## velocity <script nonce="$nonce"> // script content... </script>

Always add nonce

As a WebApp developer, you should typically *always* add the nonce to all client script elements to ensure that your app can be executed regardless of the CSP settings of the site.

We use cookies

We use cookies and similar technologies on our website to enhance your experience, analyze site performance, and provide personalized content. By clicking “Accept All Cookies,” you agree to the storing of cookies on your device in accordance with our Cookie Policy and Privacy Policy.

Read our Cookie Policy