Adobe Experience Manager Sites & More

Vishnu9 · 11/7/24

I am trying to remove "unsafe-inline" from Content-Security-Policy script-src directive and facing errors while loading them to site. console error says need to add hash or nonce. adding as hash integrity seems to work for few scripts but launch script and few other scripts are still showing errors.

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-platform-data/sub-resource-integri...

https://experienceleague.adobe.com/en/docs/experience-platform/tags/client-side/content-security-pol...

went through above documents , but not able to get complete understanding on how to generate nonce and add it to scripts and Content-Security-Policy in dispatcher dynamically .

Please advice . Thank you

daniel-strmecki · 11/7/24

Hi @Vishnu9,

nonce is supposed to be an unguessable, random value that the server generates individually for each response. Therefore I suggest you define your CSP header in the AEM Publish, instead of Dispatcher.

Here are the high-level steps to follow:

Generate an unguessable, random value in AEM individually for each response
Return the CSP header including script-src 'nonce-{SERVER-GENERATED-NONCE}'
Use the generated nonce for loading your inline script <script nonce='{SERVER-GENERATED-NONCE}'>

Good luck,

Daniel

View solution in original post

daniel-strmecki · 11/7/24

Hi @Vishnu9,

nonce is supposed to be an unguessable, random value that the server generates individually for each response. Therefore I suggest you define your CSP header in the AEM Publish, instead of Dispatcher.

Here are the high-level steps to follow:

Generate an unguessable, random value in AEM individually for each response
Return the CSP header including script-src 'nonce-{SERVER-GENERATED-NONCE}'
Use the generated nonce for loading your inline script <script nonce='{SERVER-GENERATED-NONCE}'>

Good luck,

Daniel

mjb54261515 · 11/8/24

@Vishnu9 Adding content-security-policy directly at dispacher level is not best practice. You may have to add it on server level. In your case on publisher instance.

Sample policy https://experienceleague.adobe.com/en/docs/experience-platform/tags/client-side/content-security-pol...

content-security-policy:
default-src 'none';
object-src 'self';
script-src 'self';
connect-src 'self';
img-src 'self' ;
font-src 'self';
media-src 'self';

You can add the configuration in Sling main servlet. additional headers,

sling.additional.response.headers
https://www.javadoc.io/static/org.apache.sling/org.apache.sling.engine/2.3.8/index.html?org/apache/s...

Hope that helps.

kautuk_sahni · 11/25/24

@Vishnu9 Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

Adobe Experience Manager Sites & More

how to implement nonce for Content-Security-Policy script-src directive in dispatcher

Kautuk Sahni

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe