We have recently undergone a penetration test have been advised of a medium warning of having a content-security-policy that allows for scripts to be run inline
script-src 'self' ‘inline-unsafe’
The reason we include this in the CSP is it’s the only way we can get DocumentUltimate to render on a page in MVC, otherwise we see the following error;
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'. Either the 'unsafe-inline' keyword, a hash ('sha256-CbsBk3tbY2XlgmqK+GDo083a828ssTVO/nFDuoh1JMk='), or a nonce ('nonce-...') is required to enable inline execution.
Is there a workaround for this?
I understand this is not a direct problem with DocumentUltimate but it does cause a problem when trying to use your component in a secure website which wants to protect against a XSS attack.
It’s not possible to use a Hash as a workaround because from what I can see the script that renders on the page holds dynamic values. So, the only resolution I believe would be to have some way we could reference a nonce value when building the DocumentViewer that then would populate the script tag?