Suppose we have the following script on our page: doSomething() Here's how one might use it with the CSP with JavaScript: Using a hash is one way to allow the execution of inline scripts in a Content Security Policy (CSP). If you need to allow inline scripts, perhaps you should use the hash implementation rather than the nonce implementation, since Given the requirement for a random token generator for each request, nonce seems to be anything but a simple implementation. The random nonce value should only be used for a single HTTP request." You should use a cryptographically secure random token generator to generate a nonce value. Script-src directive: script-src We are using the phrase: to denote a random value. Using a nonce is one of the easiest ways to allow the execution of inline scripts in a Content Security Policy (CSP). Nonce is a randomly generated token that should be used only one time.", so hard coding it anywhere is not going to meet the requirements.įurther, the example given is: "Example Nonce Usage The subject is much more complicated than you may think.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |