CODEWITHSUNDEEP
javascripthtmlnode.jsangularnonce
bateda
bateda

Reputation: 115

Getting error after adding nonce instead of unsafe-inline'

I have below code in my xyz.js file.

init : function() {
   if (!this.iframe) {
       this.iframe = document.createElement("iframe");
       this.iframe.src = "javascript:false;";
       document.body.appendChild(this.iframe);

and I have update the code from unsafe-inline to nonce in above code i am calling  document.body.appendChild(this.iframe);

and getting below error

1683098036010:402 Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present

I have tried to add nonce as below but it's not working 

this.iframe.nonce = "EDNnf03nceIOfn39fn3e9h3sdfa";
this.iframe.script='nonce="EDNnf03nceIOfn39fn3e9h3sdfa"';
this.iframe.script.nonce="EDNnf03nceIOfn39fn3e9h3sdfa";
this.iframe.setAttribute('nonce', "EDNnf03nceIOfn39fn3e9h3sdfa");

As in code i have set this.iframe.src = "javascript:false;"; this should not throw that error.

can anyone please provide the update on this

Upvotes: 6

Views: 1886

Answers (2)

bateda
bateda

Reputation: 115

Issue is in this.iframe.src = "javascript:false;";. I have updated this line to this.iframe.src = "about:blank;";

For more please refer iframe without an src attribute

Upvotes: 0

Sakib Rahman
Sakib Rahman

Reputation: 376

For the nonce attribute you should set it on the script tag rather than the iframe. Then append the script tag to the body of the iframe's content document.

init: function() {
   if (!this.iframe) {
       this.iframe = document.createElement("iframe");
       this.iframe.src = "javascript:false;";
       document.addEventListener("DOMContentLoaded", function() {
           document.body.appendChild(this.iframe);
       }.bind(this));
   }

   // Set nonce attribute on the script tag
   var scriptTag = document.createElement("script");
   scriptTag.setAttribute("nonce", "EDNnf03nceIOfn39fn3e9h3sdfa");
   scriptTag.textContent = ''; // write your js code here

   // Append the script tag inside the iframe content
   this.iframe.contentDocument.body.appendChild(scriptTag);
}

Upvotes: 0

Related Questions