We are getting security issue due to unsafe-inline in header and as per security team we should use nonce but that one is difficult to use with inline event handler method so we are looking for the option to use 'self' instead of nonce
Asked
Active
Viewed 223 times
1 Answers
1
Inline event handlers are not nonceable elements, so you can't allow them with a nonce. Your options are to use 'unsafe-inline' or to rewrite event handling into a file on your server, for which you would need 'self' to load. Adding 'self' will allow files under that directive to load, but will not allow inline event handlers directly.
Halvor Sakshaug
- 2,583
- 1
- 6
- 9