klaro-js icon indicating copy to clipboard operation
klaro-js copied to clipboard

Published 20 hours ago verified publisher icon klaro-org

Support Content Security Policy (CSP) on inline scripts

Open bechold opened this issue 2 years ago • 3 comments

Content Security Policy (CSP) blocks inline scripts unless a specific 'nonce' is added

Header: Content-Security-Policy: default-src 'none';script-src 'self' 'nonce-base64-value'

Html:

bechold avatar Jun 14 '22 12:06 bechold

This patch work for us:

diff --git a/src/consent-manager.js b/src/consent-manager.js
index 7a117fd..e991b53 100644
--- a/src/consent-manager.js
+++ b/src/consent-manager.js
@@ -311,7 +311,9 @@ export default class ConsentManager {
                 for(const attribute of element.attributes){
                     newElement.setAttribute(attribute.name, attribute.value)
                 }
-
+                if (element.hasAttribute('nonce')) {
+                    newElement.setAttribute('nonce', element.nonce)
+                }
                 newElement.innerText = element.innerText
                 newElement.text = element.text

websi avatar Jun 16 '23 08:06 websi

i provided a pull request for that. #504

websi avatar Apr 10 '24 13:04 websi