UPDATE 27/4/2022 : CSP is greatly enhanced in the upcoming 10.0.4 release, so doing this yourself will no longer be necessary.
This is specifically for Infomap authentication policies.
The mechanism is as follows :
- add a header that includes a nonce (a random value that is different for every page)
- add the (hash) nonce to the script tags
I implemented this by generating a random value in the mapping rule for the infomap. I choose a 13 characters random string for no particular reason. Ideally, you’d make sure the nonce is unique and you would also verify it’s unique (server-side).
// generate a nonce var templateNonce = OAuthMappingExtUtils.generateRandomString(13); macros.put("**@TEMPLATENONCE@**", templateNonce);
Then , in the html page for the Infomap, I add a header:
templateContext.response.setHeader("Content-Security-Policy","default-src 'self'; script-src 'nonce-"+templateContext.macros["@TEMPLATENONCE@"]+"';");
Every script tag then needs to include a nonce.
To accommodate the piece of code that’s added for the IV_JCT cookie, you can generate a sha256 hash value. You need to generate a hash by taking all the text between the ‘script’ tags - including all carriage returns, spaces, tabs and whatnot. I paste that text into a text file, and then use openssl to generate the hashes.
To generate it, you need to copy all the code (including comments, whitespace, tabs, carriage returns and what else) , put it in a file and generate the hash:
cat test.js | openssl sha256 -binary | openssl base64
The result is always the same:
Precede it with “sha256-“ and add to the header:
<% templateContext.response.setHeader("Content-Security-Policy","default-src 'self'; script-src 'nonce-"+templateContext.macros ["@TEMPLATENONCE@"]+"' 'sha256-1ICPqU0KcyH0XeAruG+H5+h7JCqchnCGp1SD7g5JON8=';"); %>