English (US)

Blocked CSP with nonce

Teo Lo Piparo

Hi,

I trust this message finds you well.

I am setting a nonce on the script element and I have followed the web widget CSP documentation. However, I am getting a CSP violation. 

I cannot used unsafe-inline as per internal policy and I would need to work out the nonce but it gets blocked to.

Error:

The error appears as: "Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-xxxxxxxxxxxxxxxxx'". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution." With a reference to web-widget-218-a0e6bddf78f556c0ba98.js:2"

Script:

<!-- Start of greenbuildingregistry Zendesk Widget script --> <script id="ze-snippet" src="https://static.zdassets.com/ekr/snippet.js?key=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" nonce="random-csp-nonce"> </script> <!-- End of greenbuildingregistry Zendesk Widget script -->

Any suggestions?

We would not want to hash as it results to risky and complicate to be applied everywhere and we cannot use "unsafe-inline" as per company policy.

Thank you,

 

Teo

 

1 Comments

  • Justin H
    Zendesk Customer Care

    Hello! 

    I have turned this into a ticket for our Support Team. You should be receiving an email about this shortly.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post
Powered by Zendesk