1

We are using netlify-cms that unfortunately emits code that break CONTENT-SECURITY-POLICY 'unsafe-eval'.

I have tried adding nonce attributes to all the script tags using nginx sub_filter:

server {
  listen       80;
  set_secure_random_alphanum $cspNonce 32;
  sub_filter_once off;
  sub_filter_types *;
  sub_filter *CSP_NONCE* $cspNonce;
  sub_filter '<script' '<script nonce=\'$cspNonce\' ';
  sub_filter '<link' '<link nonce="$cspNonce" ';

I then add the nonce to the header also

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-$cspNonce' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' petstore.swagger.io;connect-src 'self' petstore.swagger.io";

I can see that the nonces in the script tags and the header all match:

<script nonce='72UTQMpuXxfwcevvTydWt8XvOSzKhhjM' >

header

Content-Security-Policy default-src 'self'; script-src 'self' 'nonce-77Fdz6e1aBiGr5b8qcReeUgkO2NtJnSm'

But I still get the error message:

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-77Fdz6e1aBiGr5b8qcReeUgkO2NtJnSm'

Improve this question

1 Answer 1

Reset to default
2

By using 'nonce-value' you can get rid of 'unsafe-inline' only, but not of 'unsafe-eval'.

'unsafe-eval' in Netlify is required to compile JSON to JS code, but you can get rid of 'unsafe-eval' too. Just update ajv-json-loader to use AJV 7 and Standalone mode and configure webpack config to use the updated loader. See nitty-gritty here.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you for the answer. Do you mean that nonce-value is only good for unsafe-inline?
Yes, 'nonce-value' (and 'hash-value') are applied to inline scripts and external scripts/styles. So they can be used to get rid of 'unsafe-inline' in scrips-src and style-src. Whereas 'unsafe-eval' covers creation functions from strings using eval() / new Function() / setTimeout('string', ) / setInterval('string', ). 'unsafe-eval' acts as a global page flag so it cannot be applied selectively.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.