0

I have been used inline css as well so like i added nonce to my style e.g . I need to add nonce to my inline style.

no idea where to apply because in, inline css we do add only it's property.

<html>
<input type="text" style="width:95%;height:80%;padding:10px;display:none" />
<!-- here i wanted to add nonce -->`
</html>

Here i wanted to add nonce, note that can't remove all css to heads or external.

Exceptional NullPointer
  • 778
  • 1
  • 9
  • 21
deepak mishra
  • 310
  • 2
  • 13

1 Answers1

0

for inline script you want to “whitelist”, make your backend code insert a nonce attribute into the document before it’s sent over the wire.

 <script nonce="EDNnf07nceIrfp39fn3e9h3sdfa">...</script>
Sandeep
  • 540
  • 1
  • 4
  • 15
  • I used this concept and it's working but my concern is about the inline css. style="properties:value"; how to make allow these? mean that how to make whitelist my inline css. – deepak mishra Jul 30 '19 at 13:17
  • 1
    Hi @deepak, I am reading one article about that maybe this will help you.. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src – Sandeep Jul 30 '19 at 13:38
  • will you help me to ressolve this. onclick="redirectToPage('HOME','','','')">Home , u used this but it's blocking as inline event handler is not allowed because i restricted unsafe inline but to allow inline script i used nonce but here to allow inline event handler what to do ? – deepak mishra Jul 31 '19 at 06:11
  • 1
    For onclicks you need to allow `unsafe-inline`. I recommend instead not using inline scripts; but recognize this may not be feasible with large legacy systems. – Stephen R Aug 08 '19 at 17:19