Inject script to pass CSP security header
See original GitHub issueCurrently, when using this package and having a restrictive CSP header (including a hash), you get the following error:
Refused to execute inline script because it violates the following Content Security Policy directive:
"script-src 'self' 'sha256-8vI1As+YvGPUUpPp6RL6G2wI9FGjUN3x9MU3jdupP4s='". Either the 'unsafe-inline' keyword,
a hash ('sha256-ZxiMCbcVxDCutNT7QrHdr+d0Z99vF3DED6pLitElTag='), or a nonce ('nonce-...')
is required to enable inline execution.
As the error says, including a nonce in the script header here would fix the error most likely. An optional parameter passed down from the ThemeProvider
.
Issue Analytics
- State:
- Created 2 years ago
- Comments:6
Top Results From Across the Web
CSP: script-src - HTTP - MDN Web Docs - Mozilla
The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly ...
Read more >Content Security Policy (CSP) Bypass - HackTricks
script -src: This directive specifies allowed sources for JavaScript. This includes not only URLs loaded directly into elements, but also things like inline ......
Read more >Content-Security-Policy (CSP) Bypass Techniques - Medium
It is possible to bypass this CSP policy by calling callback functions and vulnerable class.
Read more >How to Set Up a Content Security Policy (CSP) in 3 Steps
A content security policy will prevent most script-injection attacks ... Allows you to add header for the Content Security Policy (CSP).
Read more >CSP Allow Inline Scripts - Content Security Policy
Create a CSP Policy that allows execution of inline scripts. ... single use string value that you add to your Content-Security-Policy header, like...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Related to: https://github.com/pacocoursey/next-themes/issues/106 You can’t add hash exception for base64 encoded script (current approach). You could add
data:
toscript-src
directive for now.Thanks @brokul-dev. Following worked for me:
script-src 'self' 'unsafe-eval' 'unsafe-inline' *.youtube.com *.twitter.com data:;