Content Security Policy issue #42
Description
I'm trying to implement content security policy but I can't remove 'unsafe-eval' or 'unsafe-inline' from the script-src in the policy because of this code from the canada.ca template:
<script type="text/javascript" nonce="eg0dg+TpLV67vNU12mvTsFbA"> document.write(wet.builder.splashTop({})); </script>Even if I add a nonce to this script element, the browser won't execute it because it is dynamically generated. Here's the error message from Chrome:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-eg0dg+TpLV67vNU12mvTsFbA' 'unsafe-eval' https://www.canada.ca https://cdnjs.cloudflare.com https://www.googletagmanager.com https://ajax.googleapis.com https://www.google-analytics.com". Either the 'unsafe-inline' keyword, a hash ('sha256-VdTQZOOA6p1QIhBQM+axlBd0ikS+W/fho1WFPEVTcdA='), or a nonce ('nonce-...') is required to enable inline execution.
Does anybody have any guidance on how to implement CSP without the "unsafe" sources?