We're using uMarketingSuite version 1.20.4 and have implemented a strict CSP on our (Umbraco v11.0.0) site which makes use of nonces to whitelist inline scripts.
The plugin injects a couple scripts which we would like to whitelist if possible.
I can use a hash based whitelist on 'Script 1' since its contents seem to be static, however 'Script 2' includes a GUID value with the call to .init() where I imagine this may present issues.
Is it possible to set HTML attributes for these injected scripts? This would then allow us to inject the request nonce.
Or is there some other workaround we can use here? Perhaps the GUID value is always the same and we can use hash whitelist for this script too?
Perhaps the GUID value is always the same and we can use hash whitelist for this script too?
This GUID is different for every pageview, it is the pageview id. So unfortunately you cannot whitelist a single hash for that script.
However, it is possible to add the nonce with some custom code. This uses the same mechanism we use to inject the script tag into the HTML -- an implementation of our IRequestFilter interface.
Please try this and let us know if it works for you too.
public class ScriptNonceFilter : IRequestFilter
{
private static readonly Regex _re = new(@"<script(?=>typeof uMarketingSuite!==""undefined""&&uMarketingSuite.analytics&&uMarketingSuite.analytics.init\(""[^""]+""\)</script>)");
public int Priority => -1; // Run after any uMarketingSuite filters
public void Filter(UMarketingSuiteRequestContext context, Action<Func<string, string>> writeContent)
{
writeContent(contents =>
{
var nonce = "YOUR_NONCE_HERE";
return _re.Replace(contents, $"<script nonce=\"{nonce}\"");
});
}
}
public class ScriptNonceFilterComposer : IComposer
{
public void Compose(IUmbracoBuilder builder)
{
builder.Services.AddTransient<IRequestFilter, ScriptNonceFilter>();
}
}
uMarketingsuite and strict CSP with nonces
Hi,
We're using uMarketingSuite version 1.20.4 and have implemented a strict CSP on our (Umbraco v11.0.0) site which makes use of nonces to whitelist inline scripts.
The plugin injects a couple scripts which we would like to whitelist if possible.
Script 1:
Script 2:
I can use a hash based whitelist on 'Script 1' since its contents seem to be static, however 'Script 2' includes a GUID value with the call to
.init()where I imagine this may present issues.Is it possible to set HTML attributes for these injected scripts? This would then allow us to inject the request nonce.
Or is there some other workaround we can use here? Perhaps the GUID value is always the same and we can use hash whitelist for this script too?
Thanks,
Duane
Hi Duane,
This GUID is different for every pageview, it is the pageview id. So unfortunately you cannot whitelist a single hash for that script.
However, it is possible to add the nonce with some custom code. This uses the same mechanism we use to inject the script tag into the HTML -- an implementation of our IRequestFilter interface.
Please try this and let us know if it works for you too.
Regards,
Daniël
This works perfectly! Thank you so much for this.
is working on a reply...