Power Pages - Security

Power Pages : How to set dynamic nonce in CSP headers

(1) Share

Report

Posted on by VKartik

Hi Team,

As a part of security we were advised to add CSP headers in our Power Page application

In CSP headers when we add script-src tag , few core functionalities of our application stops working.

This is because script-src will not allow inline scripts to execute.

This can be overcome by using nonce tag which need to be enabled using Power Page management app.

But what we noticed is nonce tag is getting added to inline scripts with dynamically generated value.

This dynamically generated value is getting changed with every request.

Do we have any way to configure dynamic nonce value in Power Page Management security settings ?

Following is the snapshot of dynamically generated nonce value

Categories:

Settings

All responses (2)

Answers (0)

VKartik 16 on at

Like (0)

Report

Power Pages : How to set dynamic nonce in CSP headers

Hi

Thanks for your response
I tried adding 'self' to script-src but that also doesn't help and i get the same error.

Also i synced the settings after adding
Following is the screenshot
Suggested answer

oliver.rodrigues 9,248 Most Valuable Professional on at

Like (0)

Report

Power Pages : How to set dynamic nonce in CSP headers

My understanding here is that you don't need to worry about the dynamic token that is generated at all. The Portal server-side code should take care of ensuring that the JS code works (basically the nonce should match the token in your inline JS).

Are you missing a "self" there in your script-src?

for example:

script-src 'self' 'nonce'