Support Content Security Policy (CSP) on inline scripts #441
Comments
|
This patch work for us: diff --git a/src/consent-manager.js b/src/consent-manager.js
index 7a117fd..e991b53 100644
--- a/src/consent-manager.js
+++ b/src/consent-manager.js
@@ -311,7 +311,9 @@ export default class ConsentManager {
for(const attribute of element.attributes){
newElement.setAttribute(attribute.name, attribute.value)
}
-
+ if (element.hasAttribute('nonce')) {
+ newElement.setAttribute('nonce', element.nonce)
+ }
newElement.innerText = element.innerText
newElement.text = element.text
|
websi
added a commit
to dkd/klaro-js
that referenced
this issue
Apr 10, 2024
|
i provided a pull request for that. #504 |
|
Hey, we would really need this feature and would love to see the PR from @websi to be merged :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Content Security Policy (CSP) blocks inline scripts unless a specific 'nonce' is added
Header:
Content-Security-Policy: default-src 'none';script-src 'self' 'nonce-base64-value'
Html:
<script nonce="base64-value" type="text/plain" data-type="application/javascript" data-name="matomo">https://github.com/kiprotect/klaro/blob/7db425d6686d7f8d7dd2a5d26899e35a5e515f19/src/consent-manager.js#L311
"for(const attribute of element.attributes)" the nonce-attribute is always empty this way. the only way to access the nonce-attribute is "newElement.nonce = element.nonce"
see https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce#accessing_nonces_and_nonce_hiding
The text was updated successfully, but these errors were encountered: