Hullo all ^^ I'm fiddling with this super helpful lil' package: https://marketplace.umbraco.com/package/umbraco.community.cspmanager Never done anything with nonce and barely any CSP experience, but I'm trying to follow the Nonce instructions on the Repo (https://github.com/Matthew-Wise/Umbraco-CSP-manager). Simply adding the Tag Helper and then adding the provided snippet doesn't do anything. Does anyone have experience with this package that can help point me in the right direction for what I'm missing? Done some Googlin' but not sure what this package doesn't handle. Tried adding some 'nonce-' to the CSP source but no luck.

Hi, firstly thanks for checking out the package :). Are you inspecting the tags via the console, or the header itself? Dev tools hides the nonce value, so best to check the header or page source

Hullo! It just didn't seem to work. Removing the unsafe inline/eval values for scripts, they weren't passing CSP rules when they had the 'csp-manager-add-nonce="true"' on them. Unless I've just misunderstood some part of the setup. - Added the tag helper to ViewImports, - then added that snippet to the inline scripts in the view. - CSP is enabled and blocks them and spits out console errors saying so

Nope it should just be added if you used the nonce

Hmmm, well nonce is added but if I remove the unsafe eval and inline sources the CSP blocks them. I've tried with incognito and fresh caches. Any ideas on where I could look for a problem caused by something in the project?

Oh it's gtm 🙂 have you altered their script to be nonce aware? (In the gtag docs)?

That's just one example -- though didn't know there was a special version of the script for it; ty! @.@ Does it have to be modified at all to work with this package's application of nonce? I see it looks for an attribute that won't exist in the markup. But otherwise... All inline scripts don't work if I remove unsafe inline; not just GTM example. And if I remove unsafe eval other scripts can no longer call resources. Such as this one even though its resources are on the allowed sources list 🤔 <script csp-manager-add-nonce="true" type="text/javascript" src=""> Does that mean every single inline requires special things to be done in order for CSP not to block them? Like this project has an inline script to just apply an event listener for onload & call a js file for a PWA service worker; it gets blocked when unsafe inline is removed. The worker.js itself should be fine cause 'self' is allowed, right?

Unsafe eval is probably a requirement as Google tag manager https://developers.google.com/tag-platform/security/guides/csp#custom_javascript_variables As for the service workers you need to set worker-src to 'self'

Ah, k. Looks like I just gotta research each script individually to figure out their interaction with CSP. Dang Google. The point of nonce is to be able to get rid of unsafe sources :p Thanks a ton Matt! ❤️ Your package is a huge helper as are you!

No worries 🙂 take a look at 'strict-dynamic' as a script-src it might just save you some work