Expand my Community achievements bar.

how to implement nonce for Content-Security-Policy script-src directive in dispatcher

Avatar

Level 2
Level 2
11/7/24 5:25:10 AM

I am trying to remove  "unsafe-inline" from Content-Security-Policy script-src directive and facing errors while loading them to site. console error says need to add hash or nonce. adding as hash integrity seems to work for few scripts but launch script  and few other scripts are still showing errors.

 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-platform-data/sub-resource-integri...

 

https://experienceleague.adobe.com/en/docs/experience-platform/tags/client-side/content-security-pol...

 

went through above documents , but not able to get complete understanding  on how to generate nonce and add it to scripts and Content-Security-Policy in dispatcher dynamically .

 

Please advice . Thank you 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Dispatcher Experience Manager Experience Manager as a Cloud Service Experience Manager Cloud Manager Security

Views

160

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
2 Replies

Avatar

Level 8
Level 8
11/7/24 5:57:24 AM

Hi @Vishnu9,

nonce is supposed to be an unguessable, random value that the server generates individually for each response. Therefore I suggest you define your CSP header in the AEM Publish, instead of Dispatcher.

Here are the high-level steps to follow:

  • Generate an unguessable, random value in AEM individually for each response
  • Return the CSP header including script-src 'nonce-{SERVER-GENERATED-NONCE}'
  • Use the generated nonce for loading your inline script <script nonce='{SERVER-GENERATED-NONCE}'>

 

Good luck,

Daniel

Views

143

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 6
Level 6
11/8/24 11:30:25 AM

@Vishnu9 Adding content-security-policy directly at dispacher level is not best practice. You may have to add it on server level. In your case on publisher instance. 

 

Sample policy https://experienceleague.adobe.com/en/docs/experience-platform/tags/client-side/content-security-pol...

 

content-security-policy:
default-src 'none';
object-src 'self';
script-src 'self';
connect-src 'self';
img-src 'self' ;
font-src 'self';
media-src 'self';

You can add the configuration in Sling main servlet. additional headers,

sling.additional.response.headers
https://www.javadoc.io/static/org.apache.sling/org.apache.sling.engine/2.3.8/index.html?org/apache/s...

Hope that helps.

Views

78

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Passing parameters to Sling Model methods Solved

Views

96

Likes

0

Replies

2
How to Render the different version of Header for Specific Pages Using Experience Fragments in AEM?

Views

0

Likes

0

Replies

0
TemplatedResource binding to Resource

Views

107

Likes

0

Replies

7
Sitecore to AEM cloud migration reference implementation

Views

54

Likes

0

Replies

0
How to fix "Cannot read properties of undefined (reading 'registerLayer')" in Authoring?

Views

173

Likes

0

Replies

2