Expand my Community achievements bar.

Resolving Content Security Policy (CSP) after 2.4.6-p6 patch

Avatar

Level 1

Hi!

I'm working on moving all my JSs to have the "nonce" attached to all of them but even after handling all the cases I'm still seeing the error popping up for AdobeDTM JS as the print below shows:

IagoLi_0-1721052334194.png

"nonce" is there inside the script tag:

IagoLi_1-1721052494466.png


But the calls keep on failing, any ideas on how to solve this? We are not willing to "allow inline script" since this is kind of the main topic of the patch itself.

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

2 Replies

Avatar

Level 5

Your CSP policy seems to be incorrect. You are whitelisting a lot of domains + running nonce validation + running hash validation + 'unsafe-eval' + 'unsafe-hashes' 

 

First eval itself is completely evil. And you included `unsafe-eval`. CSP3 removed 'unsafe-eval' as recognized directive. Should remove it. 

Second, remove 'unsafe-hashes' also.

 

Use tools like https://csp-evaluator.withgoogle.com/ and https://cspvalidator.org/#url=https://cspvalidator.org/ to validate your policy.

 

If your CSP policy having bug. Guessing, removing the unsafe directives should work. Else follow the validator tools for recommended fix.

Avatar

Administrator

@IagoLima Did you find the suggestion helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!



Kautuk Sahni