Nonce values for Content-Security-Policy header | HCL Digital Experience
Inline script is considered risky, and is not recommended. But if it must be used with HCL Digital Experience Container Update CF192 and higher releases, then a nonce value must be appended to the script tag.
Note: In the DX default implementation of Content Security Policy, the nonce value is not appended to any script tags due to
the risk of marking malicious script as valid. Style changes are considered less risky,
therefore, nonce values are appended to style tags.
For example, the nonce value that would be included on the header looks like
this:
Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa’
The same nonce value would be included on the script tag as
well:
<script nonce="EDNnf03nceIOfn39fn3e9h3sdfa">
var element = document.getElementById(“myelement”);</script>
DX now supplies a CSPService which can be used to obtain a unique nonce value.
Customers can use this service to append a nonce to any inline script that they
choose to permit in custom code. The format to obtain a nonce from the service
is:
The
implementation supports generation of 128-bit and random nonce values. For more
information, refer W3C specifications- Content Security Policy Level
3.String nonce=CSPService.getInstance().getNonce();