Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • DG 8 posts 119 karma points
    Jan 03, 2023 @ 15:50

    uMarketingsuite and strict CSP with nonces


    We're using uMarketingSuite version 1.20.4 and have implemented a strict CSP on our (Umbraco v11.0.0) site which makes use of nonces to whitelist inline scripts.

    The plugin injects a couple scripts which we would like to whitelist if possible.

    Script 1:

    <script>!function(){var u='/umbraco/umarketingsuite/pagedata/ping';if(typeof navigator.sendBeacon=='function')navigator.sendBeacon(u);else{var x=new XMLHttpRequest;'POST',u,!0);x.send()}}()</script>

    Script 2:

    <script>typeof uMarketingSuite!=="undefined"&&"ae3407ba-d880-48e4-9adb-70a3f1909086")</script>

    I can use a hash based whitelist on 'Script 1' since its contents seem to be static, however 'Script 2' includes a GUID value with the call to .init() where I imagine this may present issues.

    Is it possible to set HTML attributes for these injected scripts? This would then allow us to inject the request nonce.

    Or is there some other workaround we can use here? Perhaps the GUID value is always the same and we can use hash whitelist for this script too?



  • Daniël Knippers 153 posts 1116 karma points MVP 2x c-trib
    Jan 04, 2023 @ 08:23
    Daniël Knippers

    Hi Duane,

    Perhaps the GUID value is always the same and we can use hash whitelist for this script too?

    This GUID is different for every pageview, it is the pageview id. So unfortunately you cannot whitelist a single hash for that script.

    However, it is possible to add the nonce with some custom code. This uses the same mechanism we use to inject the script tag into the HTML -- an implementation of our IRequestFilter interface.

    Please try this and let us know if it works for you too.

    public class ScriptNonceFilter : IRequestFilter
        private static readonly Regex _re = new(@"<script(?=>typeof uMarketingSuite!==""undefined""&&\(""[^""]+""\)</script>)");
        public int Priority => -1; // Run after any uMarketingSuite filters
        public void Filter(UMarketingSuiteRequestContext context, Action<Func<string, string>> writeContent)
            writeContent(contents =>
                var nonce = "YOUR_NONCE_HERE";
                return _re.Replace(contents, $"<script nonce=\"{nonce}\"");
    public class ScriptNonceFilterComposer : IComposer
        public void Compose(IUmbracoBuilder builder)
            builder.Services.AddTransient<IRequestFilter, ScriptNonceFilter>();



  • DG 8 posts 119 karma points
    Jan 04, 2023 @ 11:13

    This works perfectly! Thank you so much for this.

Please Sign in or register to post replies

Write your reply to: