6

I have below code in my xyz.js file.

init : function() {
   if (!this.iframe) {
       this.iframe = document.createElement("iframe");
       this.iframe.src = "javascript:false;";
       document.body.appendChild(this.iframe);

and I have update the code from unsafe-inline to nonce in above code i am calling  document.body.appendChild(this.iframe);

and getting below error

1683098036010:402 Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present

I have tried to add nonce as below but it's not working 

this.iframe.nonce = "EDNnf03nceIOfn39fn3e9h3sdfa";
this.iframe.script='nonce="EDNnf03nceIOfn39fn3e9h3sdfa"';
this.iframe.script.nonce="EDNnf03nceIOfn39fn3e9h3sdfa";
this.iframe.setAttribute('nonce', "EDNnf03nceIOfn39fn3e9h3sdfa");

As in code i have set this.iframe.src = "javascript:false;"; this should not throw that error.

can anyone please provide the update on this

Improve this question

2 Answers 2

Reset to default
0

For the nonce attribute you should set it on the script tag rather than the iframe. Then append the script tag to the body of the iframe's content document.

init: function() {
   if (!this.iframe) {
       this.iframe = document.createElement("iframe");
       this.iframe.src = "javascript:false;";
       document.addEventListener("DOMContentLoaded", function() {
           document.body.appendChild(this.iframe);
       }.bind(this));
   }

   // Set nonce attribute on the script tag
   var scriptTag = document.createElement("script");
   scriptTag.setAttribute("nonce", "EDNnf03nceIOfn39fn3e9h3sdfa");
   scriptTag.textContent = ''; // write your js code here

   // Append the script tag inside the iframe content
   this.iframe.contentDocument.body.appendChild(scriptTag);
}
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

but my error is coming in document.body.appendChild(this.iframe); this line, it's not going down.
It's because the script is being executed before the document.body element is fully loaded. Edited the answer, have a try.
getting below error. caught TypeError: Cannot read properties of null (reading 'body') at YAHOO.Adeptra.ProgressIndicator.init (adeptra.js?_=1683528863919:419:31) at adeptraInit (adeptra.js?_=1683528863919:1727:16) at n (utilities.js?_=1683528863919:13:7981) in this line this.iframe.contentDocument.body.appendChild(scriptTag);
@SakibRahman this.iframe.contentDocument.body.appendChild(scriptTag); is giving error as I see that this.iframe is null. I think this.iframe.contentDocument.body.appendChild(scriptTag); is getting executed before this.iframe = document.createElement("iframe"); Hence this.iframe is null and when we do this.iframe.something it is giving Cannot read properties of null. How can we make this code as synchronizable so that code execution happens one line at a time?
0

Issue is in this.iframe.src = "javascript:false;";. I have updated this line to this.iframe.src = "about:blank;";

For more please refer iframe without an src attribute

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.