Sunday, 16 April 2023

How to use nonce or sha with connect-src(csp)?

Is it possible to use nonce with an API request so that connect-src in CSP will detect that it is not a malicious address?

Until now I have seen that nonce can only be used in script-src or style-src, not in connect-src

So far I have only been able to put the URL list in connect-src...

If anyone has an example in Angular or js please share

thats how look like my csp:

connect-src 'self' data: https://url wss://url 'nonce-the_nonce'; script-src 'self' 'nonce-the_nonce';

the fetch request with a nonce(THIS URL IS NOT INCLUDED IN MY connect-src data URLs list, I want that to work with a nonce):

  <script nonce="the_nonce">

    fetch(`https://url`,{method:'GET'}).then(res=>{
      console.log(res.status);
    },err=>{
      console.log(err.errorStatusCode);
    });

  </script>

the error I get:

Refused to connect to 'https://url' because it violates the following Content Security Policy directive: "connect-src 'self' data: https://url wss://url 'nonce-the_nonce".



from How to use nonce or sha with connect-src(csp)?
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)