-
Notifications
You must be signed in to change notification settings - Fork 262
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Content Security Policy (CSP) on inline scripts #441
Comments
This patch work for us: diff --git a/src/consent-manager.js b/src/consent-manager.js
index 7a117fd..e991b53 100644
--- a/src/consent-manager.js
+++ b/src/consent-manager.js
@@ -311,7 +311,9 @@ export default class ConsentManager {
for(const attribute of element.attributes){
newElement.setAttribute(attribute.name, attribute.value)
}
-
+ if (element.hasAttribute('nonce')) {
+ newElement.setAttribute('nonce', element.nonce)
+ }
newElement.innerText = element.innerText
newElement.text = element.text
|
websi
added a commit
to dkd/klaro-js
that referenced
this issue
Apr 10, 2024
i provided a pull request for that. #504 |
Hey, we would really need this feature and would love to see the PR from @websi to be merged :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Content Security Policy (CSP) blocks inline scripts unless a specific 'nonce' is added
Header:
Content-Security-Policy: default-src 'none';script-src 'self' 'nonce-base64-value'
Html:
<script nonce="base64-value" type="text/plain" data-type="application/javascript" data-name="matomo">https://github.com/kiprotect/klaro/blob/7db425d6686d7f8d7dd2a5d26899e35a5e515f19/src/consent-manager.js#L311
"for(const attribute of element.attributes)" the nonce-attribute is always empty this way. the only way to access the nonce-attribute is "newElement.nonce = element.nonce"
see https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce#accessing_nonces_and_nonce_hiding

The text was updated successfully, but these errors were encountered: