You’re offline. This is a read only version of the page.
26
Hello team,
We are trying to implement content security policy in our web site, but while applying the same in our portal management for our site CSS and JS are getting affected. We tried to add attribute "nonce" in the script and style tag but we need to provide some cryptographic number as value to it, which will be same in the "HTTP/Content-Security-Policy" header. But whenever we are trying to concatenate nonce with some cryptographic value in the above header, the site checker is getting failed.
How can we resolve the above issue, and implement the Content-Security-Policy in our power pages site?
Adding nonce for script-srs works by adding the nonce value to most of the inline script. But you need to ensure to purge cache or restart site before testing changes. have wasted some time.
problem is adding nonce also generated the hash and unsafe-eval and unsafe-hashes' directive which again generates other security warning on pages. Just sharing my experience for future reference if anyone come looking for it.
Thanks @OOlashyn ,
The CSP nonce is not getting applied in some scripts of our web page because of the Content snippet added just before those scripts. After removing the content snippet, the CSP got applied to each and every scripts.
I tested it on my instance and if I add the inline script to the Header web template it works fine with the nonce setting. I would advise you to open a support ticket with Microsoft as Power Pages should add a nonce to every inline script.
hi @NikhilDey if I need to show or hide information could I use this solution? I was reading about dataverse permissions.
Nonce is getting added to some of the inline scripts but it's not getting affected in the script explicitly mentioned in the Header web template. We are getting the below error where the scripts are not getting nonce feature: "Refused to execute inline script because it violates the following Content Security Policy directive:"
The same CSP feature we tried to apply in some different site, there the nonce feature is working for the same script in Header web template file.
Thank you for your reply @OOlashyn.
When we are trying to add "HTTP/Content-Security-Policy" value as "script-src https: 'nonce'", some of the scripts are not getting executed. For example: The script tag which is present by default in the header file is not getting executed for us.
Hi @NikhilDey ,
You don't need to provide a value for nonce with Power Pages. If you set your Site Setting "HTTP/Content-Security-Policy" to script-src https: 'nonce' Power Pages will automatically add the correct randomly generated string to your inline code. However, nonce in Power Pages works only with inline scripts and inline event handlers meaning that only code written as inline script or in Custom Javascript field will work properly. Regarding CSS - I am not sure that Power Pages supports it.
#1
Lucas001
60
Super User 2025 Season 2
#2
Fubar
55
Super User 2025 Season 2
#3
surya narayanan
35
Share
Report
All responses (
Answers (
