cancel
Showing results for 
Search instead for 
Did you mean: 

Enabling nonce in Portal

As we would allow inline-scripting without violating 'unsafe-inline' CSP, we would like to enable nonce for our inline-scripts. Setting the nonce in the CSP header will not automatically add the nonce to the script sections in the generated page, thus the settings has no effect. Moreover, the nonce should be generated randomly for every request, according to standard, thus setting it in the CSP header using the site settings will not be a viable solution.

 

An important security aspect when using a nonce is that you need to generate a new nonce each time a page is loaded and make sure the nonce is not predictable in any way. An attacker who can guess the nonce will still be able to run inline code. Place the generated nonce in your CSP header dynamically and insert the same nonce dynamically in the page source that contains the inline code blocks.

 

A proper solution will be generating a nonce per request and adding this nonce to the inline script sections of the page, and to the CSP header.

 

Technically, this might be avoided with not allowing unsafe-inline and use js webfiles. However, in the case when this is not feasible and inline scripting must be use, having nonce feature is the best solution.

 

In DynamicF&O , we have similiar nonce feature : Manage Content Security Policy (CSP) - Commerce | Dynamics 365 | Microsoft Docs

Status: New
Comments
aka-akadijk
Microsoft

This functionality is required and made mandatory by government in the Netherlands to be able to use the public identity service DigiD (for security reasons).  Without this functionality, customers can not use PowerApps portal with DigiD login anymore.