Not being able to use DocumentUltimate with a Content Security Policy that disables inline scripts
Problem reported by Richard Spinks - 2/4/2019 at 3:32 AM
We have recently undergone a penetration test have been advised of a medium warning of having a content-security-policy that allows for scripts to be run inline

script-src 'self' ‘inline-unsafe’ 

The reason we include this in the CSP is it’s the only way we can get DocumentUltimate to render on a page in MVC, otherwise we see the following error;

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'. Either the 'unsafe-inline' keyword, a hash ('sha256-CbsBk3tbY2XlgmqK+GDo083a828ssTVO/nFDuoh1JMk='), or a nonce ('nonce-...') is required to enable inline execution.

Is there a workaround for this? 

I understand this is not a direct problem with DocumentUltimate but it does cause a problem when trying to use your component in a secure website which wants to protect against a XSS attack.

It’s not possible to use a Hash as a workaround because from what I can see the script that renders on the page holds dynamic values. So, the only resolution I believe would be to have some way we could reference a nonce value when building the DocumentViewer that then would populate the script tag?

Reply to Thread