how to implement nonce for Content-Security-Policy script-src directive in dispatcher | Community
Skip to main content
V
Vishnu9
Level 2
November 7, 2024
Solved

how to implement nonce for Content-Security-Policy script-src directive in dispatcher

  • November 7, 2024
  • 3 replies
  • 4240 views

I am trying to remove  "unsafe-inline" from Content-Security-Policy script-src directive and facing errors while loading them to site. console error says need to add hash or nonce. adding as hash integrity seems to work for few scripts but launch script  and few other scripts are still showing errors.

 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-platform-data/sub-resource-integrity-sri-and-launch/ba-p/375327

 

https://experienceleague.adobe.com/en/docs/experience-platform/tags/client-side/content-security-policy

 

went through above documents , but not able to get complete understanding  on how to generate nonce and add it to scripts and Content-Security-Policy in dispatcher dynamically .

 

Please advice . Thank you 

Best answer by daniel-strmecki

Hi @vishnu9,

nonce is supposed to be an unguessable, random value that the server generates individually for each response. Therefore I suggest you define your CSP header in the AEM Publish, instead of Dispatcher.

Here are the high-level steps to follow:

  • Generate an unguessable, random value in AEM individually for each response
  • Return the CSP header including script-src 'nonce-{SERVER-GENERATED-NONCE}'
  • Use the generated nonce for loading your inline script <script nonce='{SERVER-GENERATED-NONCE}'>

 

Good luck,

Daniel

3 replies

daniel-strmecki
Community Advisor and Adobe Champion
daniel-strmeckiCommunity Advisor and Adobe ChampionAccepted solution
Community Advisor and Adobe Champion
November 7, 2024

Hi @vishnu9,

nonce is supposed to be an unguessable, random value that the server generates individually for each response. Therefore I suggest you define your CSP header in the AEM Publish, instead of Dispatcher.

Here are the high-level steps to follow:

  • Generate an unguessable, random value in AEM individually for each response
  • Return the CSP header including script-src 'nonce-{SERVER-GENERATED-NONCE}'
  • Use the generated nonce for loading your inline script <script nonce='{SERVER-GENERATED-NONCE}'>

 

Good luck,

Daniel

    rampai
    Community Advisor
    rampaiCommunity Advisor
    Community Advisor
    May 7, 2025

    Hi @daniel-strmecki,

     

    How do you get around cache issues with this approach? We were able to get nonce added to our scripts but the value is getting cached causing script execution failures upon a mismatch.

     

    e.g. Page returns a particular cached nonce value but the script is having some other value due to different TTLs.

     

    Thanks,

    Ram

    daniel-strmecki
    Community Advisor and Adobe Champion
    daniel-strmeckiCommunity Advisor and Adobe Champion
    Community Advisor and Adobe Champion
    May 7, 2025

    Hi @rampai,

    we use nonces only to allow specific inline scripts to run when a CSP is configured to block all inline scripts by default ('unsafe-inline' not allowed). Therefore, the same HTML response page contains both the CSP header and inline scripts, so they cannot be different. For linked/external scripts, you should specifically list down the domains you allow in the CSP, for example: "script-src 'self' https://cdn.example.com;" 

     

    Good luck,

    Daniel

     

    manoj_devapath
    manoj_devapath
    Level 5
    November 8, 2024

    @vishnu9 Adding content-security-policy directly at dispacher level is not best practice. You may have to add it on server level. In your case on publisher instance. 

     

    Sample policy https://experienceleague.adobe.com/en/docs/experience-platform/tags/client-side/content-security-policy

     

    content-security-policy:
    default-src 'none';
    object-src 'self';
    script-src 'self';
    connect-src 'self';
    img-src 'self' ;
    font-src 'self';
    media-src 'self';

    You can add the configuration in Sling main servlet. additional headers,

    sling.additional.response.headers
    https://www.javadoc.io/static/org.apache.sling/org.apache.sling.engine/2.3.8/index.html?org/apache/sling/engine/impl/SlingMainServlet.html

    Hope that helps.

      kautuk_sahni
      Community Manager
      kautuk_sahniCommunity Manager
      Community Manager
      November 25, 2024

      @vishnu9 Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

      Kautuk Sahni
      Terms & ConditionsAccessibility statement

      Loading footer...