There are some necessary considerations to using nonces over hashes, but could significantly shorten the resulting policy if multiple code blocks are added to a page.

Comments

gapple created an issue. See original summary.

  • gapple committed 4297b9b on 8.x-1.x 
    Issue #3099539: Whitelist inline scripts with nonce
gapple’s picture

gapple
he/they
Primary language English
commented
Status: Active » Fixed

Since this has some risks, and is less likely to be compatible with the Dynamic Page Cache than using hashes, there is no interface but using a nonce can be enabled with a config option:

  $config['attachinline.settings']['csp-whitelist-method'] = 'nonce';

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

modestmoes’s picture

modestmoes commented

I noticed that the config schema changed. If using version 1.2 or later, the updated config override is:

$config['attachinline.settings']['csp-allow-method'] = 'nonce';