How should the nonce be properly set in the csp policy?

I've been attempting to incorporate a nonce into the csp policy but it's not functioning as anticipated.

Here's the code snippet I'm currently using for testing purposes:

server.js

  express.use(function(req, res, next) {
    res.set({
      "Content-Security-Policy":"script-src 'self' 'nonce-random1'"
    });
    return next();
  });

index.html

  <script nonce="random1" type="text/javascript" src="/script1.js"> 
  </script>

When checking the browser console, I encountered this error message: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-random1'...

As an experiment, I attempted to add the source /script1.js as if it were a domain:

  express.use(function(req, res, next) {
    res.set({
      "Content-Security-Policy":"script-src 'self' /script1.js"
    });
    return next();
  });

Despite my efforts, the solution didn't work and I still received the same error message.

I checked the documentation and confirmed that the syntax was correct. I also searched for relevant questions or articles but couldn't find any useful information.

I prefer not to use unsafe-inline. Instead, I plan to implement a one-time hash as a nonce for each request in the future.

Does anyone have insight into why the nonce is not functioning as expected?

javascriptexpressxsscontent-security-policy

Answer №1

When it says 'no' to executing an inline event handler

This indicates that you have event handlers embedded in tags like <div onclick='handler()'> or 

<body onload='some_javascript_here'>
, etc.
Your 
<script nonce='random1'>...</script>
is being executed, which can be confirmed by adding console.log('I am done').

Replace inline event handlers with addEventListener() or utilize jQuery if feasible.

"Content-Security-Policy":"script-src 'self' /script1.js"

is deemed incorrect; relative URLs like /script1.js are not permitted in the directive.
Your initial CSP setting 

"Content-Security-Policy":"script-src 'self' 'nonce-random1'"
is accurate.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Executing the fs.readFile operation within the callback of its parent fs.readFile does not happen asynchronously

I recently learned about the asynchronous nature of fs.readFile, where the reading process happens in a separate thread allowing the main thread to continue without being blocked. Intrigued by this concept, I decided to experiment with the following code s ...

node.jsexpressasynchronousasync-await

Encountering an ExpressionChangedAfterItHasBeenCheckedError in Angular 6 when selecting an option from a dropdown menu

How can we fix the error mentioned below through code changes? Situation An input dropdown UI is safeguarded against unintentional value changes by a modal. However, triggering an event (such as click or focus) on the dropdown leads to the ExpressionChan ...

javascriptangulartypescriptangular-bootstrap

Transforming AJAX call into an HTTP request in Node.js

Through AJAX calls, I can successfully connect to a 3rd party API and retrieve data when accessing the API through a browser. Below is the AJAX code snippet: var settings = { async: true, url: "https://rest.cricketapi.com/rest/v2/schedule/?access_toke ...

node.jsexpress

The command 'npm install -g bigcommerce-stencil/stencil-cli' failed to run properly in the Windows command prompt

Having successfully completed all installations on my Windows 7 SP1 PC, I attempted to run the following command: npm install -g bigcommerce-stencil/stencil-cli Unfortunately, I encountered an error as shown in the screenshot below: error screen For mo ...

javascriptnode.jsbigcommerce

Angular2 scripts are failing to load in the web browser

Setting up my index page has been more challenging than I anticipated. Take a look at my browser: https://i.stack.imgur.com/L4b6o.png Here is the index page I'm struggling with: https://i.stack.imgur.com/Op6lG.png I am completely stumped this tim ...

javascripthtmlangularjsnode.jsmean

"Exploring the concept of sub-resources in defining a REST API: A comprehensive

Recently, I set up a REST API using Express to gather information about suppliers and their inventory. The URL structure was as follows: /Supplier/Inventory{supplierId} (e.g http://MyServer/Supplier/Inventory/237 for supplier 237's inventory). To imp ...

node.jsrestexpress

The autofill ajax script is unable to populate dynamically added rows

As a newcomer to programming, I am trying to create a table that allows users to add new rows by clicking a button. Each row should have a field for inputting an ID which corresponds to some predefined numbers in another table, and then the other field sho ...

javascriptjqueryajaxdynamicrow

What is the process for integrating a new ACL middleware into my system?

I am currently implementing a client access control system based on IP ACL. function localAcl (options) { let {allowedMethods} = options if (!Array.isArray(allowedMethods)) { allowedMethods = [] } return function(req, res, next) { ...

node.jsexpress

"Revamp your site with Vue and API for dynamic background

I'm faced with an issue where I am attempting to modify the background of a joke fetched from an API, but for some reason, the background is not changing and I can't seem to identify why. The main problem lies in my inability to change the proper ...

javascripthtmlvue.js

Enforce directory organization and file naming conventions within a git repository by leveraging eslint

How can I enforce a specific naming structure for folders and subfolders? I not only want to control the styling of the names (kebab, camel), but also the actual names of the folders and files themselves. For example, consider the following paths: ./src/ ...

javascriptreactjstypescripteslintlint

Maintain the fancybox open even in case of ajax errors

I'm having an issue with my code where the fancybox closes automatically after displaying the error message briefly. I want it to remain open so that users have more time to fix their errors. What could be causing this problem? $(document).ready(func ...

javascriptjqueryajaxfancybox

What is the best way to define a constant in the main scope that relies on a function parameter?

I'm currently exploring next-auth and I'm interested in leveraging unstable_getserversession. According to the documentation, I need to import options from another file. import { authOptions } from 'pages/api/auth/[...nextauth]' Howeve ...

javascriptnext.jsnext-auth

What is the best method for managing an event loop during nested or recursive calculations?

When it comes to breaking a computation and releasing using setTimeout(), most examples seen involve having a shallow call stack. But what about scenarios where the computation is deeply nested or mutually-recursive, like in a tree search, with plenty of c ...

javascripttypescriptgeneratoryield

Having trouble with Vuejs uploading multiple images when not using a CDN?

Hello! I am currently experimenting with implementing this specific plugin for uploading multiple images using vue.js. Below you can find the code snippet that I have been working on. <!DOCTYPE html> <html lang="en> <head> &l ...

javascriptvue.js

How to ensure your content is always visible on Mobile Safari iOS 8 by making sure it stays

Although minimal-ui is no longer supported on iOS8, I've encountered an issue with some fixed content at the bottom of a webpage. The page height is set to 100vh to cover the entire viewport, but some of the content at the bottom is extending below t ...

javascriptjqueryhtmlioscss

React Material UI - DataGrid Continuously Distracting Focus Away from Input Field

I'm currently facing an issue with my React web app using Material-UI. The problem arises when I try to type in the search input field, but the focus keeps getting stolen by the Material-UI DataGrid whenever I click on it. Oddly enough, this only occu ...

javascriptreactjsinputmaterial-ui

Model with no collection involved

Take a look at this Model and View setup. Why is the indicated line not functioning as expected? var app = app || {}; (function () { app.CurrentUserView = Backbone.View.extend({ el: $('.avatar-container'), template: ux.templ ...

javascriptmodel-view-controllerbackbone.js

HTML form submission with a grid of multiple choice options

I have created my own multiple choice grid: <div style="overflow-x:auto;"> <table class="w-100"> <tr> <td class="border"></td> <td class="border">Yes</td> <td class="border">No</ ...

javascripthtmljquery

Encountered a header error while attempting to proceed with the

In one of my routes, the following code is implemented: if (elements.length <= 0) { var msg = 'no elements found'; console.error(msg); var err = new Error('Not found'); ...

javascriptnode.jsexpresserror-handling

Guide to implementing JWT authentication on a React application

I've been developing a web application using React and incorporating React Router. My current goal is to implement authentication for accessing protected pages within the app. I have a backend server running on Express, but I'm finding it challen ...

reactjsexpressauthenticationreact-routerjwt