Does Dojo 1.17 version supports CSP- Nonces?

Question

We have upgraded the CSP Headers from unsafe-inlines , unsafe-eval to nonces. In the server side we generted nonce values using get and setter methods we called the nonce to all required .js files.

Now my page is not opening and it is giving below error:

Uncaught EvalError: call to Function() blocked by CSP Dojo 2 dojo.js:8:3808 Dojo 2 Uncaught ReferenceError: dojo is not defined

SERVER SIDE CODE :

String Nonce=(String) request.getSession().getAttribute("Nonce");
        if (Nonce == null) {
                Nonce = generateNonce();
                request.getSession().setAttribute("Nonce", Nonce);
        }


                //Content Security Policy Header to prevent Cross Site Scripting attack
        response.setHeader("Content-Security-Policy",
                "default-src 'self'; " +
                "script-src 'self' 'nonce-" + Nonce + "'; " +
                "child-src 'self'; " +
                "form-action 'self'; " +
                "frame-ancestors 'self'; " +
                "object-src 'self'; " +
                "media-src 'self'; " +
                "frame-src 'self'; " +
                "style-src 'self' 'nonce-" + Nonce + "'; " + // Removed 'unsafe-inline'
                "connect-src 'self'");

" type="text/javascript" src="XXXXXXXXXXXXXX/dojo/dojo.js" djConfig="parseOnLoad: false, locale: ''">

Does Dojo 1.17 version supports CSP- Nonces?

Answers (0)

Related Questions