javascripthtmlnode.jsangularnonce

Getting error after adding nonce instead of unsafe-inline'


I have below code in my xyz.js file.

init : function() {
   if (!this.iframe) {
       this.iframe = document.createElement("iframe");
       this.iframe.src = "javascript:false;";
       document.body.appendChild(this.iframe);

and I have update the code from unsafe-inline to nonce in above code i am calling  document.body.appendChild(this.iframe);

and getting below error

1683098036010:402 Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present

I have tried to add nonce as below but it's not working 

this.iframe.nonce = "EDNnf03nceIOfn39fn3e9h3sdfa";
this.iframe.script='nonce="EDNnf03nceIOfn39fn3e9h3sdfa"';
this.iframe.script.nonce="EDNnf03nceIOfn39fn3e9h3sdfa";
this.iframe.setAttribute('nonce', "EDNnf03nceIOfn39fn3e9h3sdfa");

As in code i have set this.iframe.src = "javascript:false;"; this should not throw that error.

can anyone please provide the update on this


Solution

  • Issue is in this.iframe.src = "javascript:false;";. I have updated this line to this.iframe.src = "about:blank;";

    For more please refer iframe without an src attribute