Chris Price

My app is using the web widget via the loading of the ze-snippet script. I am setting a nonce on the script element and I have followed the web widget CSP documentation. However, I am getting a CSP violation due to an iframe attempting to run an inline script.

I believe I've narrowed it down to the "asset_composer.js" script that's loaded into an iframe by the snippet. I can see that there's an inline script that does not have a nonce. The only way to remove this violation is to add "unsafe-inline" to my script policy, which is not acceptable. Am I missing something here? I've seen numerous conversations about CSP but none are related to this issue, and it appears there was an effort to improve this in the past couple years but it's still broken.

Thanks,

Chris