0

I'm using NWebSec to add nonces to script tags, e.g.

<script nws-csp-add-nonce="true">
    ...
</script>

However, I need to add the nonce to another attribute, so need to do something like this:

<script nws-csp-add-nonce="true" data-nonce="@Html.CspNonce()">
    ...
</script>

Is this possible with NWebSec, or is the generated nonce not accessible in any way?

For context, this is to try to get Google tag manager to propagate the nonce to custom HTML scripts.

Edit

The suggested solution below seems to work. So I needed to add this to the GTM script:

var gtmScript = document.getElementById('gtmscript');
gtmScript.setAttribute('data-nonce', gtmScript.nonce);

Which takes the nonce and adds it to a data-nonce attribute. Not the nicest solution. I'd much prefer having access to the nonce in the backend.

Tom
  • 1,561
  • 4
  • 20
  • 29
  • 1
    Does this answer your question? [Add nonce to script tag](https://stackoverflow.com/questions/67123053/add-nonce-to-script-tag). nwebsec is irrelevant here since it's just a piece of backend. Your question here is about dynamically inserting nonce through front-end. Which defeats the purpose of nonce, I believe. – BNazaruk Nov 18 '21 at 20:33
  • Thanks, I'll have a look at using the `nonce` property and adding `data-nonce` that way and update with whether that worked. – Tom Nov 18 '21 at 20:41

0 Answers0