Adobe Developer

IagoLima · 7/15/24

Hi!

I'm working on moving all my JSs to have the "nonce" attached to all of them but even after handling all the cases I'm still seeing the error popping up for AdobeDTM JS as the print below shows:

"nonce" is there inside the script tag:

But the calls keep on failing, any ideas on how to solve this? We are not willing to "allow inline script" since this is kind of the main topic of the patch itself.

sarav_prakash · 7/15/24

Your CSP policy seems to be incorrect. You are whitelisting a lot of domains + running nonce validation + running hash validation + 'unsafe-eval' + 'unsafe-hashes'

First eval itself is completely evil. And you included `unsafe-eval`. CSP3 removed 'unsafe-eval' as recognized directive. Should remove it.

Second, remove 'unsafe-hashes' also.

Use tools like https://csp-evaluator.withgoogle.com/ and https://cspvalidator.org/#url=https://cspvalidator.org/ to validate your policy.

If your CSP policy having bug. Guessing, removing the unsafe directives should work. Else follow the validator tools for recommended fix.