Missing nonce attribute on inline scripts and styles

https://invisioncommunity.com/invision-community-5-bug-tracker/missing-nonce-attribute-on-inline-scripts-and-styles-r853/

Followers

Status: Moved to Github

If you want to deploy content security policy on your server and allow loading resources from only certain 3rd party domains, it will also block all inline scripts and styles unless you use nonce="..." attribute on them. As a workaround "unsafe-inline" could be applied in CSP, but this is not recommended 🤔

https://content-security-policy.com/unsafe-inline/

https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce

more info about nonce attribute https://stackoverflow.com/questions/42922784/what-s-the-purpose-of-the-html-nonce-attribute-for-script-and-style-elements

so currently we have to use unsafe-inline https://securityheaders.com/?q=techforum.cz&followRedirects=on 😐 (its still v4 app on live server, but nothing has changed in v5)

https://invisioncommunity.com/invision-community-5-bug-tracker/missing-nonce-attribute-on-inline-scripts-and-styles-r853/

Followers

User Feedback

7 Comments

Recommended Comments

Marc

Invision Community Team

March 13Mar 13

Sorry, you dont appear to have stated what you believe is a bug. Please could you clarify? It may well also be this is a request rather than a bug. If so, you would need to post as feedback in the feedback area, rather than as a bug report

Vodafone CZ

Clients

March 13Mar 13

missing nonce attribute on inline scripts and styles 😮 without this attribute csp with allowed domains will break the app

Vodafone CZ

Clients

March 13Mar 13

you can use this CSP to test, it allows only google assets (for recaptcha for example)

default-src 'self'; script-src 'self' .google.com .gstatic.com; style-src 'self' *.gstatic.com

without unsafe-inline values it blocks all inline scripts and styles, but such value is considered dangerous

Vodafone CZ

Clients

March 13Mar 13

and to the solution - if the app will generate unique nonce attribute to all inline scripts and styles, we can add it to csp like this

default-src 'self' 'nonce-xxxxx'; script-src 'self' 'nonce-xxxxx' .google.com .gstatic.com; style-src 'self' 'nonce-xxxxx' *.gstatic.com

this wont block app inline scripts and styles and it is possible to remove the dangerous unsafe-inline values from csp

Marc

Invision Community Team

March 13Mar 13

Ive added this as a bug for you, and it can be confirmed if its not a bug

Vodafone CZ

Clients

Tuesday at 02:17 AM3 days

do know if this is going to be fixed? 🤔

this is quite important to have content security policy configured properly due to cookies here in eu 😐

Marc

Invision Community Team

Tuesday at 08:01 AM3 days

Its still an open bug report as of yet, but it will be at some point, yes

Five Invision Community 5 features your team will love

Five Invision Community 5 features your members will love

Invision Community 4: SEO, prepare for v5 and dormant account notifications

Invision Community 5: Beta testing and latest updates

Missing nonce attribute on inline scripts and styles

User Feedback

Recommended Comments

Marc

Vodafone CZ

Vodafone CZ

Vodafone CZ

Marc

Vodafone CZ

Marc

Got a bug for v4?

Account

Navigation

Search