Help Center >CLI >Frontend API >
Developer Forum
Try it FreeLearn MoreYour AccountSupport

Developer Forum

Ask a Question
Back to All

Preserve strict Content-Security-Policy

10 days ago by Syed Waqas

We want to implement a strict Content-Security-Policy where we want to only allow 'self' scripts and the scripts that include a hash or a nonce.

But we are having trouble after we implemented this strategy because LocalizeJS functionality is refusing to run because the browser wouldn't let because of error such as these:

Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'sha256-123' 'nonce-123' https://global.localizecdn.com". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

Does LocalizeJS provide a way to inject the nonce or hash into its scripts while we use in our web app? So we can safely use the Content-Security-Policy Header without loosening the policy and also avail LocaliseJS to its full potential?

Thanks.