Content Security Policy (CSP) - problem with dynamic inline style during onetrust integration

Question

I am integrating a cookie tool - onetrust. I add them by adding scripts in the of the html page. The scripts call other scripts and create inline styles. I manage to embrace all scripts by adding a 'nonce' to this scripts. I have a problem with inline styles which are created on the cdn domain of the onetrust tool. Is it possible to load scripts that contain dynamically injected inline styles with the style-src 'self' set in the Content Security Policy (CSP)?

Has anyone solved a similar problem yet or is the only solution to add an 'unsafe-inline' directive to the style-src in csp?

What does "*inline styles on the cdn domain*" mean? – Bergi Aug 18 '23 at 22:38 — Bergi, Aug 18 '23 at 22:38

score 0 · Answer 1 · answered Aug 18 '23 at 22:26

OneTrust now has a "preview" feature where you can provide a nonce for your script, but it has to be enabled by their support team.

<script nonce="PPAjsdRsCmdup5UwtyLkdg==" src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js"" type="text/javascript" charset="UTF-8" data-domain-script="XXXXXXX" ></script>

https://developer.onetrust.com/onetrust/docs/content-security-policy-cdn

Content Security Policy (CSP) - problem with dynamic inline style during onetrust integration

1 Answers1