Last active
April 10, 2024 12:39
-
-
Save marinhero/0b7dc607a5644d4ec634baf0799218d3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<meta http-equiv="Content-Security-Policy" | |
content="connect-src https://*.wootric.com; | |
script-src 'nonce-EBVmWKEBEP' 'nonce-iApyYLoklC' 'strict-dynamic'; | |
object-src 'none'; | |
base-uri 'none'; | |
img-src 'self' data; | |
font-src 'self' data:;" /> | |
<meta charset="utf-8"> | |
<script type="text/javascript" src="https://cdn.wootric.com/wootric-sdk.js" nonce="iApyYLoklC"></script> | |
<script type="text/javascript" nonce="EBVmWKEBEP"> | |
window.wootricSettings = { account_token: 'NPS-YOURTOKEN', created_at: 1561852800 }; | |
window.wootric('run'); | |
</script> | |
</head> | |
<body> | |
</body> | |
</html> |
wootric-sdk.js also injects inline styles, so you need to add for the style-src policy: 'unsafe-inline' (which is not recommended) or the corresponding hash... The problem with hashing is that we can't control when Wootric style will change.
Can't you improve the nonce CSP approach for style-src as well?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Longshot @marinhero any chance of getting this CSP narrowed down a bit? *.wootric.com seems pretty open. e.g. Ideally this CSP wouldn't include your testing/qa environments etc...
Many thanks!